Skip to content

Instantly share code, notes, and snippets.

@davestevens
Last active November 6, 2024 11:48
Show Gist options
  • Save davestevens/c9e437afbb41c1d5c3ab to your computer and use it in GitHub Desktop.
Save davestevens/c9e437afbb41c1d5c3ab to your computer and use it in GitHub Desktop.
Let’s Encrypt setup for Apache, NGINX & Node.js

Let's Encrypt

Examples of getting certificates from Let's Encrypt working on Apache, NGINX and Node.js servers.

Obtain certificates

I chose to use the manual method, you have to make a file available to verify you own the domain. Follow the commands from running

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --manual --email [email protected] -d example.com

This creates a directory: /etc/letsencrypt/live/example.com/ containing certificate files:

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

Node.js

var https = require('https');
var fs = require('fs');

var options = {
  key: fs.readFileSync('/etc/letsencrypt/live/example.com/privkey.pem'),
  cert: fs.readFileSync('/etc/letsencrypt/live/example.com/cert.pem'),
  ca: fs.readFileSync('/etc/letsencrypt/live/example.com/chain.pem')
};

https.createServer(options, function (req, res) {
  res.writeHead(200);
  res.end("hello world\n");
}).listen(8000);

Apache

LoadModule ssl_module libexec/apache2/mod_ssl.so
Listen 443
<VirtualHost *:443>
  ServerName example.com
  SSLEngine on
  SSLCertificateFile "/etc/letsencrypt/live/example.com/cert.pem"
  SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
  SSLCertificateChainFile "/etc/letsencrypt/live/example.com/chain.pem"
</VirtualHost>

NGINX

server {
    listen              443 ssl;
    server_name         example.com;
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}
@radiofrequency
Copy link

for nginx add
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem

or you'll get validation errors on some android browsers.

@elievischel
Copy link

Hello, does it work for all websites version ? www and non-www version ?

It didn't work for my website. I have added

server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}

but doesn't work for my www version

could you give me a little hand on it :)

@Magiccamera
Copy link

Magiccamera commented Jun 1, 2017

I just switched from nginx to apache under direction from my boss (I cringed at the notion... but was easier done than said). Apparently it's straight forward to update your letsencrypt.

To prepare Apache properly for SSL follow this tutorial for centos 7 here:

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7
The tutorial feels vague, but there are just a couple of relevant parts you need to do beforehand. I did it ass backwards until I realised I was a total numpty.

Create your vhosts for port 80 for all your domains, start your server and then run sudo certbot --apache and follow the questions. Letsencrypt creates your ssl conf files for you where-ever they may reside such as in /etc/httpd/sites-enabled. It even injects a re-direct to your VirtualHost *80 files. So you need to keep those enabled.

@aclaramunt
Copy link

I install letsencrypt for nodejs, when execute node index.js:

_tls_common.js:85
      c.context.setKey(options.key, options.passphrase);
                ^

Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    at Error (native)
    at Object.createSecureContext (_tls_common.js:85:17)
    at Server (_tls_wrap.js:776:25)
    at new Server (https.js:26:14)
    at Object.exports.createServer (https.js:47:10)
    at Object.<anonymous> (/home/sites/api-ten2go/index.js:16:7)
    at Module._compile (module.js:570:32)
    at Object.Module._extensions..js (module.js:579:10)
    at Module.load (module.js:487:32)
    at tryModuleLoad (module.js:446:12)

@josezulu
Copy link

For two weeks I'd banged my head on the interwebs to figure out why Internet Explorer 11 was rejecting the connection to the websocket I had attached to the https server. It was Avast Antivirus blocking it! Only happened in IE11.

Then by chance I realised I wasn't loading the "ca" file on the https options....

Thanks to your post, I know which file I should for the "ca", since letsencrypt also has a "fullchain" cert.

@ngoma84
Copy link

ngoma84 commented Apr 3, 2018

for node js, in case you get permission denied error.
try
sudo chmod 755 /etc/letsencrypt/live/
sudo chmod 755 /etc/letsencrypt/archive/

@coolaj86
Copy link

FYI: The python implementation of "letsencrypt" is now "certbot" and the node.js implementation is now Greenlock for Web Servers and Greenlock for API Integrations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment