Yet another instructions for obtaining the Let's Encrypt ssl certificate
The subject of Let's Encrypt certificate has already been raised on Habré (see here ), and in the network you can find many recipes of different quality.
I read and was horrified: some write that you need to stop nginx or apache (“just a couple of minutes”), others suggest putting files into the web server folder (in the next ssh session), and others about how important it is to keep the correct one. Content-type for domain verification files ...
Let's try to do without all of this: so that it would not be excruciatingly painful at the installation stage or at the next extension - even if you have to update many domains at once. Actually, this is the whole purpose of my small note: this is not a step-by-step step-by-step, not a long theoretical article on how Let's Encrypt function - just the correct approach in my opinion, which will be correct for any complexity configuration, is described.
')
The whole point is in two words: Let Let's Encrypt start the web server on port 9999, and we will add the nginx config to forward the request to this backend. Who are interested in the details - I ask under the cat
Installing Let's Encrypt is currently recommended from the github repository:
For some operating systems, there are already ready-made packages (moreover, instead of the letsencrypt-auto command (which in fact is only a wrapper for letsencrypt), you can use letsencrypt), but the installation from the repository suits me as a programmer.
Next - you need to prepare our server.
In principle, all that is required of us is that so that mysubdomain.mydomain.tld / .well-known / acme-challenge / 6il4rb2ErDWuBnUsTw_qrJc_tXGNv43p2a4kQQc0CvE is given to predefined content with the right headers.
Let's transfer this work to Let's Encrypt himself: let him raise his own web server to 127.0.0.1:9999, and we will just add a rule to send requests to this backend to the nginx config. There is no need to stop anything, much less create files manually.
So. We create the following file /etc/nginx/template/letsencrypt.conf:
And we will connect the required subdomains to the config-files:
Actually, that's all. Then you can run a single command - let's start encrypt itself:
Here I receive a certificate for four subdomains at once, indicating that you need to start the web server on port 9999, agree with the license agreement. (In principle, you can specify an e-mail in the command line so that you don’t have to enter and share this information online: read the description of the keys in the documentation)
In principle, there is nothing more to describe. How to add a certificate to the nginx config file with sufficiently good and correct descriptions.
The only thing left to add to the cron is the auto-renew command:
There are other examples of update scripts in the getting-started, I recommend to look at it: you can provide for letting you send a letter if the update fails or automatically restart the web server daemon.
That's all. I'd add that I really don't like to be in the forefront of the new technology (“until the first service pack comes out, it makes no sense to update the Windows to a new one”), but in principle, I see that Let's Encrypt can already be slowly started to be used in production.
PS As a basis for my note, I took Dmitry's article from his blog. I do not know if he is on the habr, in any case, from me - thank you very much.
I read and was horrified: some write that you need to stop nginx or apache (“just a couple of minutes”), others suggest putting files into the web server folder (in the next ssh session), and others about how important it is to keep the correct one. Content-type for domain verification files ...
Let's try to do without all of this: so that it would not be excruciatingly painful at the installation stage or at the next extension - even if you have to update many domains at once. Actually, this is the whole purpose of my small note: this is not a step-by-step step-by-step, not a long theoretical article on how Let's Encrypt function - just the correct approach in my opinion, which will be correct for any complexity configuration, is described.
')
The whole point is in two words: Let Let's Encrypt start the web server on port 9999, and we will add the nginx config to forward the request to this backend. Who are interested in the details - I ask under the cat
Installing Let's Encrypt is currently recommended from the github repository:
git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt For some operating systems, there are already ready-made packages (moreover, instead of the letsencrypt-auto command (which in fact is only a wrapper for letsencrypt), you can use letsencrypt), but the installation from the repository suits me as a programmer.
Next - you need to prepare our server.
In principle, all that is required of us is that so that mysubdomain.mydomain.tld / .well-known / acme-challenge / 6il4rb2ErDWuBnUsTw_qrJc_tXGNv43p2a4kQQc0CvE is given to predefined content with the right headers.
Let's transfer this work to Let's Encrypt himself: let him raise his own web server to 127.0.0.1:9999, and we will just add a rule to send requests to this backend to the nginx config. There is no need to stop anything, much less create files manually.
So. We create the following file /etc/nginx/template/letsencrypt.conf:
location ~ ^/(.well-known/acme-challenge/.*)$ { proxy_pass http://127.0.0.1:9999/$1; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } And we will connect the required subdomains to the config-files:
include template/letsencrypt.conf; Actually, that's all. Then you can run a single command - let's start encrypt itself:
letsencrypt-auto --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 --server https://acme-v01.api.letsencrypt.org/directory certonly -d mydomain.tld -d www.mydomain.tld -d i1.mydomain.tld -d i2.mydomain.tld Here I receive a certificate for four subdomains at once, indicating that you need to start the web server on port 9999, agree with the license agreement. (In principle, you can specify an e-mail in the command line so that you don’t have to enter and share this information online: read the description of the keys in the documentation)
In principle, there is nothing more to describe. How to add a certificate to the nginx config file with sufficiently good and correct descriptions.
The only thing left to add to the cron is the auto-renew command:
letsencrypt-auto renew >> /dev/null 2>&1 There are other examples of update scripts in the getting-started, I recommend to look at it: you can provide for letting you send a letter if the update fails or automatically restart the web server daemon.
That's all. I'd add that I really don't like to be in the forefront of the new technology (“until the first service pack comes out, it makes no sense to update the Windows to a new one”), but in principle, I see that Let's Encrypt can already be slowly started to be used in production.
PS As a basis for my note, I took Dmitry's article from his blog. I do not know if he is on the habr, in any case, from me - thank you very much.
Source: https://habr.com/ru/post/279695/
All Articles