Certbot
certbot connects to Let's Encrypt to obtain an SSL certificate for your server.
- Install packages
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-nginx
- Create the file
/etc/nginx/snippets/ssl-certbot.conf:
# support for certbot ssl auto-renewal
location ^~ /.well-known/ {
default_type "text/plain";
root /var/www/html/;
}
- Create the well-known directory for verification:
mkdir -p /var/www/html/.well-known
- Include the following line in the config for each domain:
include snippets/ssl-certbot.conf;
- Test with
nginx -t
- Reload nginx
- Now run a command like this:
certbot certonly --webroot --webroot-path=/var/www/html -d domain1.example.com
You should get some output about where the ssl cert and key are located.
- Add new ssl config snippet like this at
/etc/nginx/snippets/example.com:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
- Call this snippet from your nginx config:
include snippets/example.com
- Test at SSL Labs: https://www.ssllabs.com/ssltest/
- More SSL config advice here: https://mozilla.github.io/server-side-tls/ssl-config-generator/
- Test automated certificate renewal with this:
sudo certbot renew --dry-run
Wisdom
- If the site is currently working with
http, just add the certbot snippet to the existing config and run the certbot command to create the SSL cert/chain first. THEN redo the entire config as SSL.
Troubleshooting
If things get messed up, delete the offending certificate with the certbot delete command and choose the offending URL from the list. Then start over. DO NOT attempt to fix things manually. You'll just end up with a bigger mess.