Yet another instruction for obtaining an SSL certificate Let's Encrypt

    The topic of obtaining Let's Encrypt certificate has already been raised on the hub (see here ), and on the network you can find many recipes of different quality.

    I read and was horrified: some write that you need to stop nginx or apache (“just a couple of minutes”), others suggest putting files in a web server folder (in an adjacent ssh session), and others - about how important it is to keep the correct Content-type for domain validation files ...

    Let's try to do without all this: so that it is not painfully painful either at the installation stage or the next renewal - even if you have to update many domains at once. Actually, that’s the whole purpose of my small note: this is not a step-by-step step-by-step, not a long theoretical article on how Let's Encrypt works - it just describes the approach that is correct in my opinion, which will be correct for configuration of any complexity.

    The whole point in a nutshell: let Let's Encrypt start the web server on port 9999, and we will add the nginx config so that it forwards the request for this backend. Who cares about the details - I ask

    for the Cut. Let's Encrypt installation is currently recommended from the github repository:

    git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt
    


    For some operating systems, there are already ready-made packages (moreover, instead of the letsencrypt-auto command (which, in fact, is just a wrapper for letsencrypt), you can use letsencrypt), but installing from the repository suits me as a programmer.

    Next - you need to prepare our server.

    In principle, all that is required of us is that at the address mysubdomain.mydomain.tld / .well-known / acme-challenge / 6il4rb2ErDWuBnUsTw_qrJc_tXGNv43p2a4kQQc0CvE you get predefined content with the right headers.

    We transfer this work to Let's Encrypt itself: let it raise its own web server to 127.0.0.1:9999, and we just add a rule in the nginx config for forwarding requests for this backend. You do not need to stop anything, much less create files manually.

    So. We create the file /etc/nginx/template/letsencrypt.conf of the following form:

    location ~ ^/(.well-known/acme-challenge/.*)$ {
        proxy_pass http://127.0.0.1:9999/$1;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    


    And connect the necessary subdomains to the config files:

         include template/letsencrypt.conf;
    


    Actually, that’s all. Then you can run one single command - actually run Let's encrypt:

    letsencrypt-auto --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 --server https://acme-v01.api.letsencrypt.org/directory certonly -d mydomain.tld -d www.mydomain.tld -d i1.mydomain.tld -d i2.mydomain.tld
    


    Here I get a certificate for four subdomains at once, indicate that you need to start the web server on port 9999, agree with the license agreement. (In principle, you can specify an e-mail on the command line so that you do not have to enter and bring this information online: read the description of the keys in the documentation)

    In principle, there is nothing more to describe. How to add a certificate to the nginx config file of good enough and correct descriptions.

    The only thing left is to add the auto-renew command to cron:

    letsencrypt-auto renew >> /dev/null 2>&1
    


    In getting-started, there are other examples of update scripts, I recommend that you look: you can consider sending an email if the update failed or automatically restart the web server daemon.

    That's all. I’ll add from myself that I really don’t like to be in the forefront of the new technology (“until the first service pack comes out - it makes no sense to update Windows to a new one”), but in principle, I see that Let's Encrypt can already be started to be used in production slowly.

    PS As a basis for my article, I took Dmitry's article from his blog. I do not know if he is on the hub, in any case from me - many thanks.

    Also popular now: