Skip to content

Instantly share code, notes, and snippets.

@dgoguerra

dgoguerra/setup-ubuntu-16.md

Created September 5, 2017 11:38
Show Gist options
  • Save dgoguerra/cd30d6bfbdb334a1aa3ba93c96c89ba7 to your computer and use it in GitHub Desktop.
Save dgoguerra/cd30d6bfbdb334a1aa3ba93c96c89ba7 to your computer and use it in GitHub Desktop.
Download ZIP
Let's Encrypt Certbot
Raw
setup-ubuntu-16.md

Install Let's Encrypt client (Certbot):

wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin/

On first run it will install its dependencies:

sudo certbot-auto

Certificates can be created with the Webroot plugin by confirming that you own the server a given domain points to. The site's nginx configuration would look like the following:

server {
    listen 80;
    server_name site.example.com;

    # special folder used by Lets Encrypt to validate the domain
    location ~ /.well-known {
        root /var/www/site.example.com/public;
        allow all;
    }

    # any other path, require https
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name site.example.com;

    root /var/www/site.example.com/public;
    index index.html;

    ssl_certificate /etc/letsencrypt/live/site.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.example.com/privkey.pem;

    location / {
        try_files $uri $uri/ =404;
    }
}

And site.example.com certificate would be requested with:

sudo certbot-auto certonly --webroot -w /var/www/site.example.com/public -d site.example.com

Then to set up auto-renewal, add ot the root's crontab:

# attempt to renew all certs every monday at 2:45 am, and reload Nginx at 2:50 am
# so the new cert is used
45 2 * * 1 /usr/local/bin/certbot-auto renew --noninteractive --quiet
50 2 * * 1 service nginx reload
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment