After not having been able to log into StartSSL’s interface for two days and the expiry of an important SSL/TLS certificate looming, I looked into letsencrypt again and found an easy way to make it work with nginx for all my domains. Here’s what I did:
To verify that you’re actually running the server behind www.example.com, letsencrypt needs the ability to put a file on your web server, so that the Letsencrypt CA can subsequently download it and establish your identity. These files all need to be reachable below
Instead of creating a bunch of new directories for this, I’m creating just one and then route traffic below
/.well-known to that directory for all domains that I want to request a SSL/TLS certificate for:
I then create an include file for my nginx configurations at
/etc/nginx/includes/letsencrypt.include with this contents:
Now, I can simply add
to the configuration of the servers I want to request a letsencrypt-certificate for:
Finally, I tell nginx to reload the configuration:
This is pretty straightforward. Change to the directory you want to install letsencrypt in, then clone the git repository and change into the directory:
Now I can start requesting certificates using:
If everything works, you’ll now find private key, certificate and certificate chains in
Adding the certificate to your configuration
To use the letsencrypt certificate, point
ssl_certificate_key to the respective files.
Here’s a sample configuration for example.com with safe ciphers and OCSP stapling:
Renew certificates in time
This is my favorite part about letsencrypt. Issued certificates expire 90 days after issuance, but the great folks at letsencrypt have made checking certificates for expiration and renewing them in time trivially simple:
That’s all! No adding expiry reminders to the calendar, no issues with unavailable or slow web interfaces, no time wasted waiting for emails with verification codes. Finally! If you want to run this via cron, don’t forget to pair it with
so that nginx can pick up updated certificates.
If you can't or don't want to install software on your server, you can also obtain a letsencrypt certificate through this 3rd party web interface.