Last active
February 14, 2025 13:25
-
Star
(213)
You must be signed in to star a gist -
Fork
(30)
You must be signed in to fork a gist
-
-
Save renchap/c093702f06df69ba5cac to your computer and use it in GitHub Desktop.
Revisions
-
renchap revised this gist
Nov 10, 2015 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,5 @@ Prerequisites : the letsencrypt CLI tool This method allows your to generate and renew your Lets Encrypt certificates with 1 command. This is easily automatable to renew each 60 days, as advised. You need nginx to answer on port 80 on all the domains you want a certificate for. Then you need to serve the challenge used by letsencrypt on `/.well-known/acme-challenge`. -
Nov 10, 2015 . 1 changed file with 8 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -20,7 +20,9 @@ server { } ``` This approatch allows me do no longer needing to do any nginx config change if I add a new domain and use `server_name *;`, I create a new certificate with the needed hostname, and add the new vhost for this domain listening on 443 only using the newly generated certificate. Then, to generate your initial certificate for those domains : ``` $ export DOMAINS="-d example.net -d example.org" @@ -31,11 +33,14 @@ $ service nginx reload The command will output the path to the signed certificate, and you can add it to your nginx configuration as usual. The private key is located in the same directory than the generated `fullchain.pem` A Lets Encrypt cert is valid for 90 days, it is recommended to renew every 60 days. Automation is needed here to avoid any expired certificate ! To renew your certificate (in a cron job for example), call the same command with a `--renew` arg : ``` $ export DOMAINS="-d example.net -d example.org" $ export DIR=/tmp/letsencrypt-auto $ mkdir -p $DIR && letsencrypt --renew certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR --agree-dev-preview $DOMAINS $ service nginx reload ``` You can also get a duplicate certificate by using the same command again, with a `--duplicate` arg. -
Nov 10, 2015 . 1 changed file with 12 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -20,11 +20,22 @@ server { } ``` Then, to generate your first certificate for those domains : ``` $ export DOMAINS="-d example.net -d example.org" $ export DIR=/tmp/letsencrypt-auto $ mkdir -p $DIR && letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR --agree-dev-preview $DOMAINS $ service nginx reload ``` The command will output the path to the signed certificate, and you can add it to your nginx configuration as usual. The private key is located in the same directory than the generated `fullchain.pem` To renew your certificate (a cert is valid for 90 days, it is recommended to renew every 60 days), call the same command with a `--renew` arg : ``` $ export DOMAINS="-d example.net -d example.org" $ export DIR=/tmp/letsencrypt-auto $ mkdir -p $DIR && letsencrypt --renew certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR --agree-dev-preview $DOMAINS $ service nginx reload ``` -
Nov 10, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,30 @@ This method allows your to generate and renew your Lets Encrypt certificates with 1 command. This is easily automatable to renew each 60 days, as advised. You need nginx to answer on port 80 on all the domains you want a certificate for. Then you need to serve the challenge used by letsencrypt on `/.well-known/acme-challenge`. Then we invoke the letsencrypt command, telling the tool to write the challenge files in the directory we used as a root in the nginx configuration. I redirect all HTTP requests on HTTPS, so my nginx config looks like : ``` server { listen 80; listen [::]:80; server_name example.net example.org; location '/.well-known/acme-challenge' { default_type "text/plain"; root /tmp/letsencrypt-auto; } location / { return 301 https://$server_name$request_uri; } } ``` Then, to either generate or renew the certificate for those domains : ``` $ export DOMAINS="-d example.net -d example.org" $ export DIR=/tmp/letsencrypt-auto $ mkdir -p $DIR && letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR --agree-dev-preview $DOMAINS $ service nginx reload ```