Introduction

The way I’m using LetsEncrypt at this time, there is no support for automatic configuration of my server (Nginx). This isn’t a big issue since having a tool like LetsEncrypt touching the configuration of my web server is somehting I’m not feeling comfortable about.

So I started using LetsEncrypt with the arguments to only request a certificate and use a standalone server on port 80.

1./letsencrypt-auto certonly -a standalone -d ...

The disadvantage of this approach is that the LetsEncrypt program will bind to port 80 for its domain verification and off course nginx, the regular webserver in this case, is already bound to that port. So for this to work, you’ll have to briefly shut down the regular web server which is probably not what you desire.

Improvement

Fortunately LetsEncrypt also offers the possibility of using a webroot where the LetsEncrypt program writes to the file system and the regular webserver is used to access the file system for domain verification. The following variables and shell command will use a webroot.

1WEBROOT="/tmp/letsencrypt-auto"
2DOMAINS="-d example.com -d www.example.com"
3./letsencrypt-auto --renew certonly -a webroot --webroot-path=$WEBROOT $DOMAINS

Then you should make sure the webroot can be accessed for domain ownership checking. For this main nginx configuration can be updated to contain a location for the acme-challenge.

 1server {
 2    listen 80 default_server;
 3    listen [::]:80 default_server;
 4
 5    location '/.well-known/acme-challenge' {
 6        default_type "text/plain";
 7            root /tmp/letsencrypt-auto;
 8    }
 9
10    # We want to have http2 enabled everywhere, so this means redirecting
11    # all traffic to TLS. This can be done with this single generic server
12    # instance, as long as we use the $host directive.
13    location / {
14        return 301 https://$host$request_uri;
15    }
16}

Tip: Check your certificate

If you want to check the validity of your certificate, you can do so by going to the LetsEncrypt storage in /etc/letsencrypt/live/example.com/ and run

1openssl x509 -in cert.pem -text -noout

References

• https://letsencrypt.readthedocs.org/en/latest/using.html#installation
• https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
• https://gist.github.com/renchap/c093702f06df69ba5cac#file-readme-md

• Previous
  http/2
• Next
  Hugo