It looks like you're new here. If you want to get involved, click one of these buttons!
Sign In RegisterIt looks like you're new here. If you want to get involved, click one of these buttons!
Howdy, Stranger!
It looks like you've been lurking for a while.
If you register, we also will remember what you have read and notify you about new comments. You will also be able to participate in discussions.
So if you'd like to get involved, register for an account, it'll only take you a minute!
mydomain.com
.
HTML is served from /var/www/html
, and challenges are served from /var/www/letsencrypt
.mydomain.com
, that domain must resolve to your server for the validation process to work. Our setup will use mydomain.com
and www.mydomain.com
as the domain names, so both DNS records are required./etc/nginx/snippets/letsencrypt.conf
containing:location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
Create a file /etc/nginx/snippets/ssl.conf
containing:ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
Create the folder for the challenges:mkdir -p /var/www/letsencrypt/.well-known/acme-challenge
Create a file /etc/nginx/sites-available/mydomain.conf
containing:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name mydomain.com www.mydomain.com;
include /etc/nginx/snippets/letsencrypt.conf;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Enable the site:rm /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/mydomain.conf /etc/nginx/sites-enabled/mydomain.conf
And reload Nginx:systemctl reload nginx
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot
Request a certificate:certbot certonly --webroot --agree-tos --no-eff-email --email YOUR@EMAIL.COM -w /var/www/letsencrypt -d www.domain.com -d domain.com
Prepare Nginx to server HTTPSNow that you have a certificate for the domain, switch to HTTPS by editing the file /etc/nginx/sites-available/mydomain.conf
and replacing contents with:
## http://mydomain.com redirects to https://mydomain.com
server {
listen 80;
listen [::]:80;
server_name mydomain.com;
include /etc/nginx/snippets/letsencrypt.conf;
location / {
return 301 https://mydomain.com$request_uri;
}
}
## http://www.mydomain.com redirects to https://www.mydomain.com
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name www.mydomain.com;
include /etc/nginx/snippets/letsencrypt.conf;
location / {
return 301 https://www.mydomain.com$request_uri;
}
}
## https://mydomain.com redirects to https://www.mydomain.com
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mydomain.com;
ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
location / {
return 301 https://www.mydomain.com$request_uri;
}
}
## Serves https://www.mydomain.com
server {
server_name www.mydomain.com;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server ipv6only=on;
ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
root /var/www/mydomain;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Then reload Nginx:
systemctl reload nginx
Now you should be able to see your website at https://www.mydomain.com
Certbot can renew all certificates that expire within 30 days, so let's make a cron for it. You can test it has the right config by launching a dry run:
certbot renew --dry-run
Create a file /root/letsencrypt.sh
:
#!/bin/bash
systemctl reload nginx
Make it executable:
chmod +x /root/letsencrypt.sh
Edit cron:
crontab -e
And add the line:
20 3 * * * certbot renew --noninteractive --renew-hook /root/letsencrypt.sh