Blog - Debian Nginx Letsencrypt.sh Configuration Recipe
Monday, July 25, 2016, 2:18 PM pjflThis recipe is for Debian 7 (Wheezy). All of this needs to be performed as root. Install nginx with
apt-get install nginx
Letsencrypt.sh is on Github although I use this older slightly tweaked version
Installing letsencrypt.sh to /usr/local/bin I have
ls -l /usr/local/bin/letsencrypt.sh
-rwxr-xr-x 1 root staff 23K Jul 12 16:28 /usr/local/bin/letsencrypt.sh
I'm also using Notitia as an example application, you will need to substitute values accordingly
User accounts
The acme user has a primary group of users and is additionally in the notitia group. The nginx user (www-data) is additionally in the notitia group. This lets the nginx service read and serve the acme challenge files and also lets the acme user create those challenge files
Configuring letsencrypt.sh
Create the well known acme challenge directory
cd ~notitia/local
mkdir -p var/root/.well-known/acme-challenge
chown -R notitia:notitia var/root/.well-known
chmod g+sw var/root/.well-known/acme-challenge
Create the letsencrypt configuration directory
mkdir /etc/letsencrypt
In /etc/letsencrypt create a symbolic link to the well known acme challenge directory
cd /etc/letsencrypt
ln -s /home/notitia/local/var/root/.well-known/acme-challenge
chown -H acme:users acme-challenge
In /etc/letsencrypt/domains.txt (should match the nginx server_name directive)
example.com www.example.com
In /etc/letsencrypt/config.sh (differences from the defaults)
WELLKNOWN="${BASEDIR}/acme-challenge"
CONTACT_EMAIL=postmaster@example.com
Both of these files are
ls -l config.sh domains.txt
-rw-r----- 1 acme users 2.3K Dec 20 2015 config.sh
-rw-r----- 1 acme users 32 Dec 19 2015 domains.txt
Configuring nginx
In /etc/nginx/sites-available/example (substitute your domain for example)
server {
listen 80;
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/certs/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/certs/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
root /home/notitia/local/var/root;
location = / {
rewrite ^/$ https://example.com/notitia/index;
}
location /notitia {
root /home/notitia/local/var/root;
try_files $uri $uri/ @notitia_proxy;
}
location @notitia_proxy {
fastcgi_pass unix:/home/notitia/local/var/tmp/fastcgi.sock;
include fastcgi_params;
fastcgi_param SCRIPT_NAME "";
fastcgi_param PATH_INFO $uri;
}
}
In the example above the root directive will allow nginx to serve the challenge files and other static assets. The location directives are for the benefit of the notitia application
Make the site available with
cd /etc/nginx/sites-enabled
ln -s ../sites-available/example
If you are using this recipe then make the default site unavailable by deleting the symbolic link in /etc/nginx/sites-enabled
Updating the certification files
Restart the nginx service with
service nginx restart
Run letsencrypt.sh as the acme user with
su - acme
/usr/local/bin/letsencrypt.sh -c
In the crontab file for the acme user
MAILTO=me@example.com
5 12 * * * /usr/local/bin/letsencrypt.sh -c
After it has updated the cert you will need to restart nginx