Go back ⮌

Let’s encrypt!

At the time of writing I am using Ubuntu 18.04 LTS. To install Certbot we will do as I write below:

apt update
apt install software-properties-common
add-apt-repository ppa:certbot/certbot
apt update
apt install python-certbot-nginx

OK, so it is installed and ready to go.

certbot --nginx certonly

We will use certonly option because I do not want to have certbot messing around with nginx configuration files. I am OK with me doing it. In general you can trust certbot to do it well, but if you want to just get certificates and you have some funky configuration of openresty then use it as described above.

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name example.com www.example.com;
	return 301 https://$server_name$request_uri;
}

server {
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;
	
	ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

	add_header X-Clacks-Overhead "GNU Terry Pratchett";
	
	server_name www.example.com example.com;

	root /srv/www/example/public;
	access_log /srv/www/example/logs/access.log;
	error_log /srv/www/example/logs/error.log;

	index index.html;

	location / {
		try_files $uri $uri/ =404;
	}
}

OK, so it is configured, time to test it and restart nginx.

nginx -t
systemctl restart nginx

That should be enough. If you want to get another certificate then just make sure that nginx will serve files from .well-known directory created by certbot in specified webroot directory. It should be also available during each of renewal cycles. Speaking of, to renew certificates manually you can run following command. However we do not need to worry about it as certbot package from ppa repository comes with cronjob.

certbot renew