Migration from commercial SSL certificate to LetsEncrypt
- Thread starter Mouth
- Start date
-
- Tags
- certificate https letsencrypt ssl
I'm using two sites on LetsEncrypt and it's working flawlessly. Once my other sites using paid for SSL's expire i'll be moving them over.
I'm using Plesk, and LetsEncrypt have a free addon that installs the certificate and renews it automagically each month without annoying you. I think they have extensions for other control panels.
The initial install of the SSL was just a simple click of a button, much easier than paid for SSL's!
I'm using Plesk, and LetsEncrypt have a free addon that installs the certificate and renews it automagically each month without annoying you. I think they have extensions for other control panels.
The initial install of the SSL was just a simple click of a button, much easier than paid for SSL's!
lots of letsencrypt ssl testing certs for my Centmin Mod LEMP stack auto letsencrypt ssl integration via acmetool.sh addon 
but only one live site for now https://mysqlmymon.com - nginx http/2 based HTTPS + letsencrypt ssl cert all auto generated via acmetool.sh addon
but only one live site for now https://mysqlmymon.com - nginx http/2 based HTTPS + letsencrypt ssl cert all auto generated via acmetool.sh addon
Code:
./acmetool.sh acme-menu
--------------------------------------------------------
SSL Management
--------------------------------------------------------
1). acemtool.sh install
2). acmetool.sh update
3). acmetool.sh setup
4). Issue SSL Management
5). Renew SSL Management
6). Reissue SSL Management
7). Renew All Staging /Test Certs
8). Renew ALL Live Certs
9). Renew All Live Certs HTTPS Default
10). Exit
--------------------------------------------------------
Enter option [ 1 - 10 ]
--------------------------------------------------------
I have several dozen sites online using LetsEncrypt, including many which were previously using commercial SSL certs. That also includes all of my XenForo forums - each running happily behind a LE cert.
Once I got the config correct, I simply swapped over to the new LE certs and it was seamless.
I'm running Nginx with HTTP/2
One hint: don't forget to set up SAN for both naked and www versions of your domain so you can redirect using HTTPS if required.
Once I got the config correct, I simply swapped over to the new LE certs and it was seamless.
I'm running Nginx with HTTP/2
One hint: don't forget to set up SAN for both naked and www versions of your domain so you can redirect using HTTPS if required.
Yes, certbot.
I don't yet have it set up to auto-reload config, so I have to remember to restart nginx every couple of months to reload the SSL config. I could set up a cron job for that I guess.
My domain cert setup script (~/tools/letsencrypt.sh):
... I use this in conjunction with the nginx config below (a basic web server for the domain must be operating on port 80 using the letsencrypt snippet below).
My weekly cron task (/etc/cron.weekly/certbot-auto):
My SSL snippet (/etc/nginx/snippets/ssl.conf):
My LetsEncrypt snippet (/etc/nginx/snippets/letsencrypt.conf):
My certs include (/etc/nginx/ssl/mydomain.com.conf):
... I would have run the following command to generate the above pem files: $ ~/tools/letsencrypt.sh mydomain.com,www.mydomain.com
Here is a real nginx config from one of my sites (/etc/nginx/conf.d/somersoft.conf):
... where (/etc/nginx/ssl/somersoft.com.conf) contains:
... and the pem files at that location were generated using the following command:
... just for completeness, here is the contents of the xenforo snippet mentioned in the nginx config (/etc/nginx/snippets/xenforo.conf):
I don't yet have it set up to auto-reload config, so I have to remember to restart nginx every couple of months to reload the SSL config. I could set up a cron job for that I guess.
My domain cert setup script (~/tools/letsencrypt.sh):
Code:
#!/bin/bash
if [ ! -n "$1" ]; then
echo "letsencrypt requires a fully qualified domain name (eg. example.com or example.com,www.example.com)"
exit 1;
fi
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ -d $1 --email simon@example.com... I use this in conjunction with the nginx config below (a basic web server for the domain must be operating on port 80 using the letsencrypt snippet below).
My weekly cron task (/etc/cron.weekly/certbot-auto):
Code:
#!/bin/sh
# run letsencrypt certbot weekly to renew expiring certificates
/opt/certbot/certbot-auto renew --non-interactive --webroot --agree-tos -w /srv/www/letsencrypt/ --email simon@example.comMy SSL snippet (/etc/nginx/snippets/ssl.conf):
Code:
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000" always;My LetsEncrypt snippet (/etc/nginx/snippets/letsencrypt.conf):
Code:
location ~ /.well-known {
root /srv/www/letsencrypt;
allow all;
try_files $uri $uri/ =404;
}My certs include (/etc/nginx/ssl/mydomain.com.conf):
Code:
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;... I would have run the following command to generate the above pem files: $ ~/tools/letsencrypt.sh mydomain.com,www.mydomain.com
Here is a real nginx config from one of my sites (/etc/nginx/conf.d/somersoft.conf):
Code:
# main server: https://www.somersoft.com
# comment out this entire server block when installing cert for the first time
# certbot can use port 80 but SSL cert won't exist yet, so can't use 443
server {
server_name www.somersoft.com;
access_log /var/log/nginx/somersoft.com/somersoft.access.log;
error_log /var/log/nginx/somersoft.com/somersoft.error.log;
root /srv/www/somersoft.com;
include snippets/ssl.conf; # HTTPS IPv4 (SNI)
listen [2400:8901:e001:3d::103]:443 ssl http2; # HTTPS IPv6
include ssl/somersoft.com.conf;
include snippets/letsencrypt.conf;
include snippets/xenforo.conf;
}
# redirect naked domain https://somersoft.com => https://www.somersoft.com
# comment out this server block when installing cert for the first time
# certbot will use port 80 but SSL cert won't exist yet, so can't use 443
server {
server_name somersoft.com;
access_log /var/log/nginx/somersoft.com/somersoft-redirect.access.log;
error_log /var/log/nginx/somersoft.com/somersoft-redirect.error.log;
include snippets/ssl.conf; # HTTPS IPv4 (SNI)
listen [2400:8901:e001:3d::103]:443 ssl http2; # HTTPS IPv6
include ssl/somersoft.com.conf;
include snippets/letsencrypt.conf;
return 301 https://www.somersoft.com$request_uri;
}
# redirect naked and www domains from http to https ...
# http://somersoft.com => https://www.somersoft.com
# http://www.somersoft.com => https://www.somersoft.com
# when installing SSL certs for the first time, letssencrypt will actually use this server block to connect on port 80!
server {
server_name www.somersoft.com somersoft.com;
access_log /var/log/nginx/somersoft.com/somersoft-redirect.access.log;
error_log /var/log/nginx/somersoft.com/somersoft-redirect.error.log;
listen 80;
listen [2400:8901:e001:3d::103]:80; # IPv6
include snippets/letsencrypt.conf;
return 301 https://www.somersoft.com$request_uri;
}... where (/etc/nginx/ssl/somersoft.com.conf) contains:
Code:
ssl_certificate /etc/letsencrypt/live/somersoft.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/somersoft.com/privkey.pem;... and the pem files at that location were generated using the following command:
Code:
$ ~/tools/letsencrypt.sh somersoft.com,www.somersoft.com... just for completeness, here is the contents of the xenforo snippet mentioned in the nginx config (/etc/nginx/snippets/xenforo.conf):
Code:
location / {
try_files $uri $uri/ /index.php?$uri&$args;
}
location /internal_data/ {
internal;
}
location /library/ {
internal;
}
include snippets/fastcgi.conf;
Last edited:
