Lets Encrypt Quick Setup Nginx


Lets Encrypt Quick Setup Nginx

How to setup and use letsencrypt using the reverse proxy approach in this guide I assume you have a working nginx server if you do not "apt-get install nginx".

In this guide im going to show you a quick central way to setup lets encrypt and renew the certs every 60 days with cron and without stopping the webserver.

All examples are done with the site "im.mattronix.nl" and should be changed to your own domain.

Step 1 - lets get lets encrypt.

I am using root for this and i am in the "/root" directory:

 git clone https://github.com/letsencrypt/letsencrypt
 cd letsencrypt

Step 2 - now that we have lets encrypt lets setup the nginx web server

we A need to disable the webserver and run "./letsencrypt-auto certonly" which will walk you though the cert creation process (this needs to be done if you do not have SSL already enabled on these sites).

Or B if you have SSL already enabled you can request a certificate with the following command " ./letsencrypt-auto certonly --webroot -w /srv/www/im.mattronix.nl -d im.mattronix.nl"

In the example above -d = the domain you are requesting (you can add -d more then once for adding domains such as www. to the request) 

certonly = that we are not going to hook into apache or nginx to make the requests

webroot = we will tell it the location to server the token from 

-w is the location of the folder where webcontent is served from in our case we assume you have that already working as you have already setup SSL. 

to request a cert for your main site you could use: 

.letsencrypt-auto certonly --webroot -w /srv/www/mattronix.nl -d mattronix.nl -d www.mattronix.nl

Step 3 - if the site is running on the same host as letsencrypt then the following config will work.

server {
        listen       [::]:80;
        listen 80;
        server_name im.mattronix.nl;
        rewrite ^ https://$server_name$request_uri? permanent;

        access_log /var/log/nginx/im.mattronix.nl.log;
        error_log /var/log/nginx/im.mattronix.nl.log;
}



 server {
        listen [::]:443;
        listen 4443;
        client_max_body_size 10000M;
        server_name im.mattronix.nl;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/im.mattronix.nl/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/im.mattronix.nl/privkey.pem;
#        ssl_certificate /etc/nginx/certs/wildcard.mattronix.nl/certificate.crt.chain;
#        ssl_certificate_key /etc/nginx/certs/wildcard.mattronix.nl/certificate.key;
        keepalive_timeout 70;
        root /srv/www/im.mattronix.nl;
        index index.php index.html index.htm index.nginx-debian.html;
        fastcgi_index   index.php;


        access_log /var/log/nginx/im.mattronix.nl.log;
        error_log /var/log/nginx/im.mattronix.nl.log;


        location / {
        include     php_params;
        try_files $uri $uri/ =404;

        }


        # pass the PHP scripts to FastCGI server listening on /var/run/php5-fpm.sock
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;

        }

}

Otherwise if its a proxy forwarding to another host this nginx config will work for a new site:

What i do is redirect the ".well-known" folder to a folder on the proxy which needs to be created with the command below and later we will tell lets encrypt to write the tokens there:

mkdir /srv/www/im.mattronix.nl

in /"etc/nginx/sites-enabled/sitename"

server {
        listen       [::]:80;
        listen 80;
        server_name im.mattronix.nl;
        rewrite ^ https://$server_name$request_uri? permanent;

        access_log /var/log/nginx/im.mattronix.nl.log;
        error_log /var/log/nginx/im.mattronix.nl.log;
}



 server {
        listen [::]:443;
        listen 4443;
        client_max_body_size 10000M;
        server_name im.mattronix.nl;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/im.mattronix.nl/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/im.mattronix.nl/privkey.pem;
#        ssl_certificate /etc/nginx/certs/wildcard.mattronix.nl/certificate.crt.chain;
#        ssl_certificate_key /etc/nginx/certs/wildcard.mattronix.nl/certificate.key;
        keepalive_timeout 70;
        root /srv/www/im.mattronix.nl;
        index index.php index.html index.htm index.nginx-debian.html;
        fastcgi_index   index.php;


        access_log /var/log/nginx/im.mattronix.nl.log;
        error_log /var/log/nginx/im.mattronix.nl.log;


        location / {
        include     php_params;
        try_files $uri $uri/ =404;

        }

        location ^~ /.well-known/ {
        root /srv/www/im.mattronix.nl;
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.

        }



        # pass the PHP scripts to FastCGI server listening on /var/run/php5-fpm.sock
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;

        }

}

Last but not least step four add the cron job to renew your certificate automaticly every 60 days:

using the command "crontab -e" add the following line:

0 0 */60 * * /root/letsencrypt/letsencrypt-auto certonly --webroot -w /srv/www/im.mattronix.nl -d im.mattronix.nl


Written by Matthew Frost on Tuesday December 8, 2015