Using letsencrypt with nginx to obtain, install and automatically renew SSL/TLS certificates

by Felix Schwarz / Apr 17, 2016 / in Security, Linux

After not having been able to log into StartSSL’s interface for two days and the expiry of an important SSL/TLS certificate looming, I looked into letsencrypt again and found an easy way to make it work with nginx for all my domains. Here’s what I did:

Prepare nginx

To verify that you’re actually running the server behind www.example.com, letsencrypt needs the ability to put a file on your web server, so that the Letsencrypt CA can subsequently download it and establish your identity. These files all need to be reachable below http://www.example.com/.well-known/acme-challenge/[cryptographic-filename]

Instead of creating a bunch of new directories for this, I’m creating just one and then route traffic below /.well-known to that directory for all domains that I want to request a SSL/TLS certificate for:

mkdir /etc/nginx/letsencrypt/webroot

I then create an include file for my nginx configurations at /etc/nginx/includes/letsencrypt.include with this contents:

location /.well-known { default_type "/text/plain"; root /etc/nginx/letsencrypt/webroot; }

Now, I can simply add

include includes/letsencrypt.include;

to the configuration of the servers I want to request a letsencrypt-certificate for:

server { listen 80; server_name www.example.com, example.com; include includes/letsencrypt.include; # Your server specific configuration here }

Finally, I tell nginx to reload the configuration:

/etc/init.d/nginx reload

Install letsencrypt

This is pretty straightforward. Change to the directory you want to install letsencrypt in, then clone the git repository and change into the directory:

git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt

Now I can start requesting certificates using:

./letsencrypt-auto certonly -a webroot --webroot-path=/etc/nginx/letsencrypt/webroot --rsa-key-size=4096 --agree-tos -d www.example.com -d example.com

If everything works, you’ll now find private key, certificate and certificate chains in /etc/letsencrypt/live/www.example.com/.

Adding the certificate to your configuration

To use the letsencrypt certificate, point ssl_certificate, ssl_trusted_certificate and ssl_certificate_key to the respective files.

Here’s a sample configuration for example.com with safe ciphers and OCSP stapling:

server { listen 443 ssl http2; server_name www.example.com, example.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/www.example.com/chain.pem; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-S$ ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_tickets on; ssl_session_timeout 10m; # Your server specific configuration here }

Renew certificates in time

This is my favorite part about letsencrypt. Issued certificates expire 90 days after issuance, but the great folks at letsencrypt have made checking certificates for expiration and renewing them in time trivially simple:

./letsencrypt-auto renew

That’s all! No adding expiry reminders to the calendar, no issues with unavailable or slow web interfaces, no time wasted waiting for emails with verification codes. Finally! If you want to run this via cron, don’t forget to pair it with

/etc/init.d/nginx reload

so that nginx can pick up updated certificates.

Alternatives

If you can't or don't want to install software on your server, you can also obtain a letsencrypt certificate through this 3rd party web interface.