Certbot: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 63: | Line 63: | ||
sudo certbot renew --dry-run | sudo certbot renew --dry-run | ||
</pre> | </pre> | ||
== Troubleshooting == | |||
If things get messed up, delete the offending certificate with the <code>certbot delete</code> command and then start over. '''DO NOT''' attempt to fix things manually. You'll just end up with a bigger mess. | |||
Revision as of 23:10, 13 February 2019
certbot connects to Let's Encrypt to obtain an SSL certificate for your server.
- Install packages
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-nginx
- Create the file
/etc/nginx/snippets/ssl-certbot.conf:
# support for certbot ssl auto-renewal
location ^~ /.well-known/ {
default_type "text/plain";
root /var/www/html/;
}
- Create the well-known directory for verification:
mkdir -p /var/www/html/.well-known
- Include the following line in the ssl config for each domain:
include snippets/ssl-certbot.conf;
- Test with
nginx -t
- Reload nginx
- Now run a command like this:
certbot certonly --webroot --webroot-path=/var/www/html \ -d example.com \ -d domain1.example.com \ -d domain2.example.com
You should get some output about where the ssl cert and key are located.
- Add new ssl config snippet like this at
/etc/nginx/snippets/example.com:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
- Call this snippet from your nginx config:
include snippets/example.com
- Test at SSL Labs: https://www.ssllabs.com/ssltest/
- More SSL config advice here: https://mozilla.github.io/server-side-tls/ssl-config-generator/
- Test automated certificate renewal with this:
sudo certbot renew --dry-run
Troubleshooting
If things get messed up, delete the offending certificate with the certbot delete command and then start over. DO NOT attempt to fix things manually. You'll just end up with a bigger mess.