So I decided to take a shot at setting up Let's Encrpyt on my NginX proxy that runs on CentOS 7. I am not sure how I want to handle the hand off between the proxy and the servers behind yet. Currently all the certificates are manually setup on both after they are generated. But that is for another day..
Important: You must turn off CloudFlare CDN functionality (make the cloud Grey instead of Orange) if you have the SSL features of CloudFlare enabled.
NginX is not fully supported for full automation at this time. That will be rectified soon and these directions will be outdated, but for now.
I started with the core instructions from here and also this [support thread]( yum install python python-devel python-pip python-setuptools python-tools python-virtualenv).
The first thing I noticed if that they tell you to just run the git
command. Well guess what, git
is not part of CentOS 7 minimal.
The EPEL is also required, but I believe their core script checks for that. As I already had the EPEL enabled, it did nothing else. Additionally, there are Python tools missing in the dependency chain.
yum -y install git python-tools python-pip
Now on to the install. I do not want this in my home directory, so i first switched over to /etc.
cd /etc
Then I ran their git command to pull down the code.
git clone https://github.com/letsencrypt/letsencrypt
Change directories, and run the setup script.
cd letsencrypt
./letsencrypt-auto --help
With Let's Encrypt now installed, it is time to generate the certs.
Unfortunately, NginX is not currently (as of Dec 6, 2015) supported for automatic installation, though I am not sure if I will ever use the full automatic install because I rarely have a simple single vHost setup going.
The prefered method of install for Let's Encrypt seems to be the --standalone
plugin over the --webroot
plugin. The webroot solution looks like the better method, but I did not test it.
You have to stop NginX because the --standalone
plugin will stand up its own temp webserver to answer the domain verification challenge.
systemctl stop nginx
Run Let's Encrypt to get the SSL certificates.
Note: The first time you execute Let's Encrypt it will interactively ask you for an email address and also to accept the ToS. You can include that information in the request with --email [email protected]
and --agree-tos
./letsencrypt-auto certonly --standalone --email [email protected] --agree-tos -d jaredbusch.com -d www.jaredbusch.com
If you ever run this again, even for another domain on the same server, leave the email and ToS acceptance out of the script. Like this.
./letsencrypt-auto certonly --standalone -d jaredbusch.com -d www.jaredbusch.com
Assuming you did everything right, you should see this.
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --email [email protected] --agree-tos -d jaredbusch.com -d www.jaredbusch.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/jaredbusch.com/fullchain.pem. Your cert will
expire on 2016-03-06. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now start NginX back up because you do not need to keep your website down while you update the vHost files.
systemctl start nginx
You can see in the success message, that it told you where to find the certificate chain. It always save everything in a directory named after the first passed domain to the command. Check out what it does.
ls -l /etc/letsencrypt/live/jaredbusch.com
total 0
lrwxrwxrwx. 1 root root 34 Dec 7 00:29 cert.pem -> ../../archive/jaredbusch.com/cert1.pem
lrwxrwxrwx. 1 root root 35 Dec 7 00:29 chain.pem -> ../../archive/jaredbusch.com/chain1.pem
lrwxrwxrwx. 1 root root 39 Dec 7 00:29 fullchain.pem -> ../../archive/jaredbusch.com/fullchain1.pem
lrwxrwxrwx. 1 root root 37 Dec 7 00:29 privkey.pem -> ../../archive/jaredbusch.com/privkey1.pem
It symlinks everything so when you rerun this in 2 months to renew the certificates, you never have to edit your config files again. The renew process will create new files leaving the old ones in place.
Now you edit your NginX server (vHost) conf files. Mine exist in /etc/nginx/conf.d/
nano /etc/nginx/conf.d/jaredbusch.com.conf
My existing config just used a self signed cert and these two lines.
ssl_certificate /etc/ssl/cacert.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
Those need updated to point to the new Let's Encrypt certificates. Additionally, with real certificates, I followed the other guide's suggestion and enabled a couple other SSL options.
ssl_certificate /etc/letsencrypt/live/jaredbusch.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jaredbusch.com/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
Save and close nano, then test the nginx config
nginx -t
If it is successful, restart NginX.
systemctl restart nginx
Load your page up and check your certificate.
https://i.imgur.com/wDzpfQF.jpg
https://i.imgur.com/m7SS42N.jpg
https://i.imgur.com/UBrkHyr.jpg