Certbot: Difference between revisions

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

certbot connects to Let's Encrypt to obtain an SSL certificate for your server.

• Install packages

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

• Create the file /etc/nginx/snippets/ssl-certbot.conf:

# support for certbot ssl auto-renewal
location ^~ /.well-known/ {
    default_type "text/plain";
    root /var/www/html/;
}

• Create the well-known directory for verification:

mkdir -p /var/www/html/.well-known

• Include the following line in the config for each domain:

include snippets/ssl-certbot.conf;

• Test with nginx -t

• Reload nginx

• Now run a command like this:

certbot certonly --webroot --webroot-path=/var/www/html -d domain1.example.com

You should get some output about where the ssl cert and key are located.

• Add new ssl config snippet like this at /etc/nginx/snippets/example.com:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

• Call this snippet from your nginx config:

include snippets/example.com

• Test at SSL Labs: https://www.ssllabs.com/ssltest/

• More SSL config advice here: https://mozilla.github.io/server-side-tls/ssl-config-generator/

• Test automated certificate renewal with this:

sudo certbot renew --dry-run

Wisdom

• If the site is currently working with http, just add the certbot snippet to the existing config and run the certbot command to create the SSL cert/chain first. THEN redo the entire config as SSL.

Troubleshooting

If things get messed up, delete the offending certificate with the certbot delete command and choose the offending URL from the list. Then start over. DO NOT attempt to fix things manually. You'll just end up with a bigger mess.