What’s not to love. Let’s Encrypt is fast, convenient and free! And it auto-renews on its own. Even without auto mode for Nginx, it’s still a breeze.
Let’s not be hurried, this’ll be done in no time!
Some stuff needed
yum install git python-tools python-pip -y
Let’s clone somewhere
cd ~/
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Let’s almost take a wrong turn
I first tried just ./letsencrypt-auto but that detected some Apache config remains.
Let’s Encrypt!
Ok, the manual way, this helped:
./letsencrypt-auto --help
Eventually ran this command the standalone way. It starts a standalone webserver for authentication, so you need to stop Nginx for a few minutes , then you start it again.
service nginx stop
You can skip the email, agree-tos and d, then you’ll get a wizard style interface, but that was annoying when entering a few times the same stuff in an interface that would let me paste values !
./letsencrypt-auto certonly --standalone --email h@nnes.be --agree-tos -d oc.connexeon.com -d=antotherdomain.com -d=cantgetenoughdomains.net
That’s it for generating the certificate!
Let’s start Nginx again, before someone notices
service nginx start
That’s it? It is!
ls /etc/letsencrypt/live/oc.connexeon.com/
cert.pem chain.pem fullchain.pem privkey.pem
Now just replacing it in the Nginx server config
nano /etc/nginx/conf.d/default.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2 default_server ipv6only=on;
server_name oc.connexeon.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/oc.connexeon.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oc.connexeon.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/oc.connexeon.com/fullchain.pem;
...
Let’s Renew
For renewing this comes from https://letsencrypt.org/getting-started/.
Though it only needs to be renewed every few months, it’s recommended to run it daily. It’s ok to run it more, it won’t renew if it’s not close to expiry and this gives more chances to timely renew if the script fails at some moment for some reason.
cat > /etc/cron.daily/letsrenew << EOL
#!/bin/sh
service nginx stop # or whatever your webserver is
/root/letsencrypt/letsencrypt-auto renew -nvv --standalone > /var/log/letsencrypt/renew.log 2>&1
LE_STATUS=$?
service nginx start # or whatever your webserver is
if [ "$LE_STATUS" != 0 ]; then
echo Automated renewal failed:
cat /var/log/letsencrypt/renew.log
exit 1
fi
EOL
chmod +x /etc/cron.daily/letsrenew
Just run it manually to test:
/etc/cron.daily/letsrenew
Redirecting to /bin/systemctl stop nginx.service
Redirecting to /bin/systemctl start nginx.service
Automated renewal failed:
Checking for new version...
Requesting root privileges to run letsencrypt...
/root/.local/share/letsencrypt/bin/letsencrypt renew -nvv --standalone
....
2016-03-18 14:00:35,417:INFO:letsencrypt.cli:Cert not yet due for renewal
2016-03-18 14:00:35,417:DEBUG:letsencrypt.cli:no renewal failures
Processing /etc/letsencrypt/renewal/oc.connexeon.com.conf
The following certs are not due for renewal yet:
/etc/letsencrypt/live/oc.connexeon.com/fullchain.pem (skipped)
No renewals were attempted.
The post Let’s Encrypt ownCloud on Nginx CentOS 7 appeared first on ha.nnes.be.