Detailed instructions for installing the Let's Encrypt SSL certificate on a server with CMS Bitrix and Nginx

Yes, on Habré there are already a lot of texts about Let's Encrypt certificates, but unfortunately I didn’t find a complete step-by-step instruction. I wanted to fill the gap. In addition, since May 2016, there have been minor changes in the installation process, which can confuse the newcomer. Therefore, I decided to write this instruction. So tell yourself for memory and others to help.

This instruction, first of all, should be interesting to beginners.



If you have all the settings set by default, you can watch the paths that I brought. That is, if you use the system installed using the Bitrix environment script on the CentOS 6.X operating system. If not, you yourself know where that lies.
')

Installation

The first thing to do is install git :

# yum install git 

Next, go to the / tmp directory :

 # cd /tmp 

Using git, download the Let's Encrypt files. The script itself is now called certbot :

 # git clone https://github.com/certbot/certbot 

Go to the downloaded directory:

 # cd certbot 

Just in case, we grant execution rights for the script file:

 # chmod a+x ./certbot-auto 

Getting a certificate

Next comes the command to directly receive the certificate:

 # ./certbot-auto certonly --webroot --agree-tos --email mypost@my-domain.ru -w /home/bitrix/www/ -d my-domain.ru -d www.my-domain.ru 

--webroot - since the automatic installation for nginx is not yet reliable, we use this key;
--agree-tos - agree with the license agreement;
--email mypost@my-domain.ru - specify your e-mail. In the future, it may be useful to restore your account;
-w / home / bitrix / www - specify the root directory of the site;
-d my-domain.ru - our domain. subdomains can also be specified, for example -d site.my-domain.ru .

After this, the script will start working and will offer to install the missing packages. Agree and wait.

If everything succeeds, you will see the message:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/my-domain.ru/fullchain.pem. Your
cert will expire on 2016-08-21. To obtain a new version of the
certificate in the future, simply run Certbot again.
- If you lose your account credentials, you can recover through
e-mails sent to mypost@my-domain.ru.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Certificates are installed, it remains only to indicate to nginx where they lie.

Customization

Open the ssl.conf configuration file:

 # vim /etc/nginx/bx/conf/ssl.conf 

If you already have certificates installed, delete or comment out lines with them and insert new ones:

ssl_certificate /etc/letsencrypt/live/my-domain.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my-domain.ru/privkey.pem;

Do not forget to enable ssl if this has not been done before:

ssl on;
keepalive_timeout 70;
keepalive_requests 150;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

After that, restart nginx:

 # service nginx reload 

If he did not give any errors, then everything is in order. You can go to the site and see what happened.

Update

The certificate is issued for 90 days , so after this period you will need to update it. This is done by the command:

 # certbot-auto renew 

It can also be put in cron .

That's all. To compile the instructions, I used the article “ Yet another”, instructions for obtaining the Let's Encrypt ssl certificate and the official guide .