Certbot: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04 | https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04 | ||
<code>certbot</code> connects to Let's Encrypt to obtain an SSL certificate for your server. | |||
* Install packages | * Install packages | ||
| Line 12: | Line 12: | ||
</pre> | </pre> | ||
* Create the file <code>/etc/nginx/snippets/ssl-certbot | * Create the file <code>/etc/nginx/snippets/ssl-certbot.conf</code>: | ||
<pre> | <pre> | ||
# support for certbot ssl auto-renewal | # support for certbot ssl auto-renewal | ||
| Line 21: | Line 21: | ||
</pre> | </pre> | ||
* | * Create the well-known directory for verification: | ||
<pre> | <pre> | ||
mkdir -p /var/www/html/.well-known | |||
</pre> | </pre> | ||
* | * Include the following line in the config for each domain: | ||
<pre> | |||
include snippets/ssl-certbot.conf; | |||
</pre> | |||
* Test with <code>nginx -t</code> | |||
* Reload nginx | |||
* Now run a command like this: | * Now run a command like this: | ||
<pre> | <pre> | ||
certbot certonly --webroot --webroot-path=/var/www/html | certbot certonly --webroot --webroot-path=/var/www/html -d domain1.example.com | ||
-d example.com | </pre> | ||
You should get some output about where the ssl cert and key are located. | |||
* Add new ssl config snippet like this at <code>/etc/nginx/snippets/example.com</code>: | |||
<pre> | |||
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |||
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |||
</pre> | </pre> | ||
* Test with this: | * Call this snippet from your nginx config: | ||
<pre> | |||
include snippets/example.com | |||
</pre> | |||
* Test at SSL Labs: https://www.ssllabs.com/ssltest/ | |||
* More SSL config advice here: https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |||
* Test automated certificate renewal with this: | |||
<pre> | <pre> | ||
sudo certbot renew --dry-run | sudo certbot renew --dry-run | ||
</pre> | </pre> | ||
== Wisdom == | |||
* If the site is currently working with <code>http</code>, just add the certbot snippet to the '''existing''' config and run the certbot command to create the SSL cert/chain first. THEN redo the entire config as SSL. | |||
== Troubleshooting == | |||
If things get messed up, delete the offending certificate with the <code>certbot delete</code> command and choose the offending URL from the list. Then start over. '''DO NOT''' attempt to fix things manually. You'll just end up with a bigger mess. | |||
Latest revision as of 16:22, 7 January 2021
certbot connects to Let's Encrypt to obtain an SSL certificate for your server.
- Install packages
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-nginx
- Create the file
/etc/nginx/snippets/ssl-certbot.conf:
# support for certbot ssl auto-renewal
location ^~ /.well-known/ {
default_type "text/plain";
root /var/www/html/;
}
- Create the well-known directory for verification:
mkdir -p /var/www/html/.well-known
- Include the following line in the config for each domain:
include snippets/ssl-certbot.conf;
- Test with
nginx -t
- Reload nginx
- Now run a command like this:
certbot certonly --webroot --webroot-path=/var/www/html -d domain1.example.com
You should get some output about where the ssl cert and key are located.
- Add new ssl config snippet like this at
/etc/nginx/snippets/example.com:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
- Call this snippet from your nginx config:
include snippets/example.com
- Test at SSL Labs: https://www.ssllabs.com/ssltest/
- More SSL config advice here: https://mozilla.github.io/server-side-tls/ssl-config-generator/
- Test automated certificate renewal with this:
sudo certbot renew --dry-run
Wisdom
- If the site is currently working with
http, just add the certbot snippet to the existing config and run the certbot command to create the SSL cert/chain first. THEN redo the entire config as SSL.
Troubleshooting
If things get messed up, delete the offending certificate with the certbot delete command and choose the offending URL from the list. Then start over. DO NOT attempt to fix things manually. You'll just end up with a bigger mess.