Skip to content

Instantly share code, notes, and snippets.

@hackhowtofaq

hackhowtofaq/HOWTO.md

Created December 7, 2015 11:44
Show Gist options
  • Save hackhowtofaq/95799b54c3ed6cb4590f to your computer and use it in GitHub Desktop.
Save hackhowtofaq/95799b54c3ed6cb4590f to your computer and use it in GitHub Desktop.
Download ZIP
How to configure NGINX with LetsEncrypt using the simp_le client
Raw
HOWTO.md

How to configure NGINX with LetsEncrypt using the simp_le client.

this includes the nginx configs, as well as the auto renewal steps. I took a bunch of these steps from this blog, and adapted it to how I like.

simp_le issues three return codes depending on the status of the request.

  • 0 if certificate data was created or updated;
  • 1 if renewal not necessary;
  • 2 in case of errors.

This means commands can be chained like so simp_le ... && service nginx reload; nginx reload will only happen if simp_le returns 0.

##make the nginx snippet this allows simp_le to validate your domain, this could easily be put in a vhost directly, but including the snippet is cleaner.

sudo mkdir /etc/nginx/snippets;
sudo sh -c 'echo "location /.well-known/acme-challenge { \n  alias /tmp/letsencrypt/.well-known/acme-challenge; \n}\n" > /etc/nginx/snippets/letsencrypt.conf';

-- ##include this in each of your vhosts at the bottom put this inside of the server block, just before the closing tag.

include /etc/nginx/snippets/letsencrypt.conf;

-- ##edit your nginx config to look like this, replace ${DOMAIN} with your domain from above Since nginx doesn't check configs until reload, we can make the config changes before the certificate is generated. This allows us to create the ssland reload nginx in one command below.

ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/nginx/ssl/${DOMAIN}/cert.pem;
ssl_certificate_key /etc/nginx/ssl/${DOMAIN}/key.pem;
ssl_trusted_certificate /etc/nginx/ssl/${DOMAIN}/fullchain.pem;

-- ##install simp_le client

sudo git clone https://github.com/kuba/simp_le /opt/simp_le
cd /opt/simp_le
sudo ./bootstrap.sh
sudo ./venv.sh
sudo ln -s $(pwd)/venv/bin/simp_le /usr/local/sbin/simp_le

-- ##request a new DOMAIN

DOMAIN=mydomain.com;
sudo mkdir /etc/nginx/ssl/${DOMAIN};
sudo chmod 700 /etc/nginx/ssl/${DOMAIN};
cd /etc/nginx/ssl/${DOMAIN};
sudo simp_le -d ${DOMAIN}:/tmp/letsencrypt -f key.pem -f cert.pem -f fullchain.pem && sudo service nginx reload;
sudo chmod -R 400 /etc/nginx/ssl/${DOMAIN}/*;

-- ##create the renewal script in /usr/local/sbin/certrenew

sudo touch /usr/local/sbin/certrenew;
sudo vim /usr/local/sbin/certrenew;

script contents:

#!/bin/bash
DOMAINS=( "$@" )

for i in "${DOMAINS[@]}"
do
  echo "Checking Domain ${i}."
  cd /etc/nginx/ssl/${i};
  chmod -R 600 /etc/nginx/ssl/${DOMAIN}/*;
  simp_le -d ${i}:/tmp/letsencrypt -f key.pem -f cert.pem -f fullchain.pem && service nginx reload;
  chmod -R 400 /etc/nginx/ssl/${DOMAIN}/*;
done

disable writing to the script, so no one can make changes.

sudo chmod 500 /usr/local/sbin/certrenew;

-- ##insert the crontab to check nightly at 1am

sudo crontab -e 
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
00 1 * * * /usr/local/sbin/certrenew || true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment