This document details how I setup LE on my server. Firstly, install the client as described on http://letsencrypt.readthedocs.org/en/latest/using.html and make sure you can execute it. I put it in /root/letsencrypt.
As it is not possible to change the ports used for the standalone authenticator and I already have a nginx running on port 80/443, I opted to use the webroot method for each of my domains (note that LE does not issue wildcard certificates by design, so you probably want to get a cert for www.example.com and example.com).
For this, I placed config files into etc/letsencrypt/configs, named after <domain>.conf. The files are simple:
# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked with one domain for me,
# another one only got one cert, so I would recommend sepaate config files per domain.
domains = www.xrstf.de
# increase key size
rsa-key-size = 4096
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory
# this address will receive renewal reminders, IIRC
email = [email protected]
# turn off the ncurses UI, we want this to be run as a cronjob
text = True
# authenticate by placing a file in the webroot (under .well-known/acme-challenge/) and then letting
# LE fetch it
authenticator = webroot
webroot-path = /absolute/path/to/your/webroot/To generate your first cert, open a shell and execute the letsencrypt-auto script:
# cd /root/letsencrypt
# ./letsencrypt-auto --config /etc/letsencrypt/configs/mydomain.conf certonly
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/mydomain.conf certonly
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.xrstf.de/fullchain.pem. Your cert will
expire on 2016-02-05. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
Note the certonly command: we only want to issue certificates and don't want the client to fiddle with our nginx config.
Simply update your nginx sites to use the new certificate and private key:
server {
...
ssl_certificate /etc/letsencrypt/live/www.xrstf.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.xrstf.de/privkey.pem;
...
}That's it already.
I put a script in /etc/cron.monthly:
#!/bin/sh
# create new certs
cd /root/letsencrypt
for conf in $(ls /etc/letsencrypt/configs/*.conf); do
./letsencrypt-auto --renew --config "$conf" certonly
done
# make sure nginx picks them up
service nginx restartAnd now I get new certs on the first of every month. Done.
Simply put new config files into /etc/letsencrypt/configs and run the command mentioned above once to get the initial cert.