From the website itself, letsencrypt is described as:
I've previously written about setting up https for my 4d4ms.com domain, but I never really explored using letsencrypt to acquire a certificate. Since I also own and run heavytechnical.com, I decided I'd give letsencrypt a shot with that domain and see how it goes.Let’s Encrypt is a free, automated, and open Certificate Authority.
I run NGINX in front of my web services that host the websites. The certbot site claims:
But my experience was different:The Nginx plugin has been distributed with Certbot since version 0.9.0 and should work for most configurations.
$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed
ohhhh kaaayyyy. How do we install plugins? I couldn't find any documentation for how to install the nginx plugin, but I took a wild guess based on what the documentation says to do to exclude installation of the apache plugin:
$ sudo apt-get install python-certbot-nginx
Looks promising!
# sudo certbot --nginx
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: 4d4ms.com
2: heavytechnical.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
aha!
After answering a couple of questions and accepting the TOS, certbot acquired a certificate, modified my NGINX configuration to refer to it, added lines to redirect non secure (http) to secure (https) and commented the lines it altered:
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/heavytechnical.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/heavytechnical.com/privkey.pem; # managed by Certbot
ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
ssl_session_timeout 1440m; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
ssl_prefer_server_ciphers on; # managed by Certbot
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-R\
SA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Ce\
rtbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
And there we have it. A newly minted ceritificate that is good for 90 days, at which point I'll have to renew. I haven't yet set up a script to automatically renew the cert, but supposedly that's pretty easy too.
