Turn on Let's certificates Encrypt


In General lived as stated and not tuzhil:-) And here the other day stopped normally open sites with certificates from startsll (the latter of which is generally produced at 3 years). I googled and dismay found that Microsoft fix and Apple "rejected" certificates from this Office. Had to urgently look for a replacement.

Among the paid services (who incidentally gave the 1-3 month free on iPhone) found another free service Let's Encrypt (https://letsencrypt.org) there are given free, only 90 days certificate term, then it is necessary to extend, particularly the choice was not so settled on it.

As it turned out, the renewal of certificates can be automated and do not relate to the topic (i.e. made once and forgot:-) and not to forget writing this note).

and so it went on my server and installed sertbota:

apt-get update
apt-get install certbot-t jessie-backports-y

After you install folder/etc/letsencrypt appeared. Each time not to write a bunch of options, write their config file/etc/letsencrypt/cli.ini (create it yourself)

authenticator = webroot
webroot-path =/var/www/html
post-hook = service nginx reload
text = True

Here we have set the authentication method, the path to the authentication files, as well as the hook for graceful restart nginx.

When data sertbot settings should look for files authentication about such ways:

/var/www/html/.well-known/acme-challenge/example.html

Further register in Let's Encrypt:

certbot register-email your @ email

This is done only once.

 

We will prepare our nginx to perform domain authentication sertbotom.

In General, it is necessary to obtain a certificate in all blocks on a server, add the following block to other blocks location:

location/.well-known {root/var/www/html;}

Proceed to obtain certificates

Let's have the Encrypt have limits on the number of applications for certificates, because first, it's better to get a certificate in test mode:

certbot certonly-dry-run-d sait.ru-d www.sait.ru

If at the end of the bot reported on successful work:

The dry run was successful.

the vypuskaesh already in real mode:

certbot certonly-d sait.ru-d www.sait.ru

If something suddenly forgot to add or want to add a new subdomain, then do it again:

certbot certonly-d sait.ru-d www.sait.ru-d my.sait.ru

You will see the certificate files in a folder

/etc/letsencrypt/live/sait.ru/

left to replace (or add the path to the file certificates nginx config):

ssl_certificate/etc/letsencrypt/live/sait.ru/fullchain.pem;
ssl_certificate_key/etc/letsencrypt/live/sait.ru/privkey.pem;
ssl_trusted_certificate/etc/letsencrypt/live/sait.ru/chain.pem;

Oh and navsjakij case else SSL config generator-https://mozilla.github.io/server-side-tls/ssl-config-generator/

Now restart nginx Server and check our sites, for example, here: https://www.ssllabs.com/ssltest/analyze.html

Add in CZK certbot-q renew-allow-subset-of-names (according to recommendations Let's Encrypt should attempt to update the certificates two times a day. )
so far, that's all.

Leave a comment

Your email address will not be published. Required fields are marked *