Fork me on GitHub

This recipe is for Debian 7 (Wheezy). All of this needs to be performed as root. Install nginx with

apt-get install nginx is on Github although I use this older slightly tweaked version

Installing to /usr/local/bin I have

ls -l /usr/local/bin/ 
-rwxr-xr-x 1 root staff 23K Jul 12 16:28 /usr/local/bin/

I'm also using Notitia as an example application, you will need to substitute values accordingly

User accounts

The acme user has a primary group of users and is additionally in the notitia group. The nginx user (www-data) is additionally in the notitia group. This lets the nginx service read and serve the acme challenge files and also lets the acme user create those challenge files


Create the well known acme challenge directory

cd ~notitia/local
mkdir -p var/root/.well-known/acme-challenge
chown -R notitia:notitia var/root/.well-known
chmod g+sw var/root/.well-known/acme-challenge

Create the letsencrypt configuration directory

mkdir /etc/letsencrypt

In /etc/letsencrypt create a symbolic link to the well known acme challenge directory

cd /etc/letsencrypt
ln -s /home/notitia/local/var/root/.well-known/acme-challenge
chown -H acme:users acme-challenge

In /etc/letsencrypt/domains.txt (should match the nginx server_name directive)

In /etc/letsencrypt/ (differences from the defaults)


Both of these files are

ls -l domains.txt 
-rw-r----- 1 acme users 2.3K Dec 20  2015
-rw-r----- 1 acme users   32 Dec 19  2015 domains.txt

Configuring nginx

In /etc/nginx/sites-available/example (substitute your domain for example)

server {
   listen              80;
   listen              443 ssl;
   ssl_certificate     /etc/letsencrypt/certs/;
   ssl_certificate_key /etc/letsencrypt/certs/;
   ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers         HIGH:!aNULL:!MD5;

   root /home/notitia/local/var/root;

   location = / {
      rewrite ^/$;

   location /notitia {
      root /home/notitia/local/var/root;
      try_files $uri $uri/ @notitia_proxy;

   location @notitia_proxy {
      fastcgi_pass unix:/home/notitia/local/var/tmp/fastcgi.sock;
      include fastcgi_params;
      fastcgi_param SCRIPT_NAME "";
      fastcgi_param PATH_INFO $uri;

In the example above the root directive will allow nginx to serve the challenge files and other static assets. The location directives are for the benefit of the notitia application

Make the site available with

cd /etc/nginx/sites-enabled
ln -s ../sites-available/example

If you are using this recipe then make the default site unavailable by deleting the symbolic link in /etc/nginx/sites-enabled

Updating the certification files

Restart the nginx service with

service nginx restart

Run as the acme user with

su - acme
/usr/local/bin/ -c

In the crontab file for the acme user
5 12 * * * /usr/local/bin/ -c

After it has updated the cert you will need to restart nginx