Archive

HowTo: Generate free SSL certificates for Nginx/Tengine with LetsEncrypt

OK, it's fairly easy to get this done on a distro like Funtoo/Gentoo or Fedora, which are the distros I use.

First of all, you need to install this thing on your server:

# Fedora
su -
dnf -y install letsencrypt

# Funtoo/Gentoo
su -
mkdir src && cd src
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

This will install, in both cases, the necessary stuff to generate your certificates. Now, on the second case, it's going to create a virtual environment. The letsencrypt package is available for Funtoo/Gentoo but masked for now.

OK, now, we're going to use the manual method to generate our certificates. This is because they say that nginx is highly experimental at the moment and we don't want to mess around with these things so we're to do it manually and learn a bit in the process.

Now, after you install, you're gonna have /etc/letsencrypt created. Backup that directory right now!

tar -caf $( date +%Y%m%d )-etc-letsencrypt.tar.gz /etc/letsencrypt

Now, let's generate some certs. No wildcards so we're to generate as many specific domain certs as we want, in a single run!

letsencrypt certonly --manual --agree-tos -m renich@woralelandia.com -d woralelandia.com -d www.woralelandia.com -d downloads.woralelandia.com -d blog.woralelandia.com

This will generate all my certs. It will ask me if I agree of my server's IP being logged. I do agree. So, I say yes. After that, it will ask me something like: "make sure this file is visible in http://woraleladnia.com/.well-known/acme-challenge/<some -long-filename> and it contains <the -same-long-filename plus some other stuff>". So, just make sure you can click on the link and see the contents. This is to be done manually. For example:

umask 022
cd /srv/www/woralelandia.com/default/public
mkdir -p .well-known/acme-challenge
cd .well-known/acme-challenge
touch allaskdjlk2j3l4kj3245lw2kj4lkj4l2k3j4lk23j4lkj234 # the long filename mentioned before
echo 'allaskdjlk2j3l4kj3245lw2kj4lkj4l2k3j4lk23j4lkj234.2Z_2342847298slkdjflksdjflkjr95832ulsdjf' > allaskdjlk2j3l4kj3245lw2kj4lkj4l2k3j4lk23j4lkj234

Obviously, try the link and see if the contents are correct.

Now, you will have to do this for all domains. In my case: woralelandia.com, www.woralelandia.com, blog.woralelandia.com and downloads.woralelandia.com.

After this, it tells you a bunch of things but it says the word: "congratulations" somewhere. If you see that word, you're there, dude/dudess!

This thing has created some certs in a very non-FHS place: /etc/letsencrypt/live/woralelandia.com in my case. So now, the contents of that are some symlinks:

cert.pem  chain.pem  fullchain.pem  privkey.pem

This is smart by them. You will need to update these in 3 months! You should be able to automate this in a cron job or something. I'll try to do that later on.

Now, I am to use the cert and the privkey. I will edit my nginx configuration and add:

ssl_certificate /etc/letsencrypt/live/woralelandia.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/woralelandia.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/woralelandia.com/fullchain.pem;

To all the server {} instances I need to. Also, try having:

ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_stapling on;
ssl_stapling_verify on;

Somewhere in your global conf; somewhere inside http {}. This will limit the protocols to use and leave you with the one you're using. If you don't know what this is, just leave it as it is. This is semi-pro stuff ;)