## Let's Encrypt on Ubuntu 14.04, nginx with webroot auth This document details how I setup LE on my server. Firstly, install the client as described on http://letsencrypt.readthedocs.org/en/latest/using.html and make sure you can execute it. I put it in ``/root/letsencrypt``. As it is [not possible to change the ports](https://github.com/letsencrypt/letsencrypt/issues/1357#issuecomment-153940531) used for the ``standalone`` authenticator and I already have a nginx running on port 80/443, I opted to use the ``webroot`` method for each of my domains (note that LE does not issue wildcard certificates by design, so you probably want to get a cert for ``www.example.com`` and ``example.com``). ### Configuration For this, I placed config files into ``etc/letsencrypt/configs``, named after ``.conf``. The files are simple: ```ini # the domain we want to get the cert for; # technically it's possible to have multiple of this lines, but it only worked with one domain for me, # another one only got one cert, so I would recommend sepaate config files per domain. domains = www.xrstf.de # increase key size rsa-key-size = 4096 # the current closed beta (as of 2015-Nov-07) is using this server server = https://acme-v01.api.letsencrypt.org/directory # this address will receive renewal reminders, IIRC email = someaddresslike-webmaster@xrstf.de # turn off the ncurses UI, we want this to be run as a cronjob text = True # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) and then letting # LE fetch it authenticator = webroot webroot-path = /absolute/path/to/your/webroot/ ``` To generate your first cert, open a shell and execute the ``letsencrypt-auto`` script: # cd /root/letsencrypt # ./letsencrypt-auto --config /etc/letsencrypt/configs/mydomain.conf certonly Updating letsencrypt and virtual environment dependencies....... Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/mydomain.conf certonly IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.xrstf.de/fullchain.pem. Your cert will expire on 2016-02-05. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. Note the ``certonly`` command: we only want to issue certificates and don't want the client to fiddle with our nginx config. ### nginx Integration Simply update your nginx sites to use the new certificate and private key: ```nginx server { ... ssl_certificate /etc/letsencrypt/live/www.xrstf.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.xrstf.de/privkey.pem; ... } ``` That's it already. ### Renewal I put a script in ``/etc/cron.monthly``: ```bash #!/bin/sh # create new certs cd /root/letsencrypt for conf in $(ls /etc/letsencrypt/configs/*.conf); do ./letsencrypt-auto --renew --config "$conf" certonly done # make sure nginx picks them up service nginx restart ``` And now I get new certs on the first of every month. Done. ### Adding new domains Simply put new config files into ``/etc/letsencrypt/configs`` and run the command mentioned above once to get the initial cert.