How to use Let’s Encrypt on Nginx
What is Let’s Encrypt?
Let’s Encrypt is service to issue SSL certification for free. It is public beta(15/Feb/2016).
You can get SSL certification for free.
And you can issue SSL certification by command line tool. The certification will be expired after three month, but you can also update certification by command line.
Issue certification for first time
For the first time, you need to run following command on your web server as root.
./letsencrypt-auto certonly --webroot -w ${DOC_ROOT} -d ${SERVICE_DOMAIN}
| key word | description |
|---|---|
| DOC_ROOT | document root path |
| SERVICE_DOMAIN | domain name of your site |
Before run this command, your site need to access from internet, because this command create server identification file temporally in DOC_ROOT and Let’s Encrypt service access that file via internet.
Nginx configuration
If there is no error, ssl certificate is created in /etc/letsencrypt/live/${SERVICE_DOMAIN}.
You set nginx configuration as follows.
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${SERVICE_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{SERVICE_DOMAIN}/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4-SHA:HIGH:!ADH;
ssl_prefer_server_ciphers on;
ssl on;
...
}
After that restart nginx.
nginx -s reload
Update command
Updating certification command is as follows.
./letsencrypt-auto certonly --keep-until-expiring \
--webroot -w ${DOC_ROOT} -d ${SERVICE_DOMAIN}
After that restart nginx.to renew SSL certification.
nginx -s reload
Update script
For updating automatically, you run following shell script every day.
#!/bin/bash
LOG=/var/log/letsencrypt/renew.log
LETSENCRYPT=${SCRIPT_PATH}/letsencrypt-auto
date +'%Y.%m.%d %H:%M:%S' >> $LOG
echo renew $2 >> $LOG
if ! ${LETSENCRYPT} renew >> $LOG 2>&1 ; then
echo Automated renewal failed:
cat $LOG
exit 1
fi
/usr/local/nginx/sbin/nginx -s reload