The auto-installers they are working on are a great idea, but they even say on their discussion lists that it would be impossible for them to account for all possible configurations people may have.
I’m more of a fan of just doing a small downtime, to add the cert lines to the hosts, and then once you have it all working you just have to run the same script before 90 days are up and auto renew. They way they set it up you don’t have to change anything after that. It is pretty neat.
Also, the “webroot” method seems to work great. It basically adds some temp files to your public directory on your server so the service can verify your ownership. That way you don’t need to take down the web server. I used it to add it to all my apache and nginx servers. This is the command I ended up using:
./letsencrypt-auto certonly --webroot --webroot-path /var/www/html/ --renew-by-default --email [log in to unmask] --text --agree-tos -d example.com -d www.exmaple.com
I then made a cron job to run this exact command in 70+ days to renew. Tested it once and it renewed my certs by 3 days so it seems to work great.
If anyone needs it, I attached the relevant SSL section from my Nginx conf. It gets an A+ on the online SSL tester (https://www.ssllabs.com).
— Noel
—
Noel Díaz
Instruction & Research Services Administrator
Information Technology Department
Purdue University Libraries
E-Mail: [log in to unmask]
Phone: 765-494-1787
On 12/6/15, 6:39 PM, "Code for Libraries on behalf of Hugh Rundle" <[log in to unmask] on behalf of [log in to unmask]> wrote:
>Hi all
>
>Hugh here from Australia, I joined the list last week.
>
>On the weekend I successfully created and installed two LetsEncrypt certs on nginx - I've never used nginx before, so that shows you how relatively easy it is. There were a couple of gotchas using sudo, but you can create certs on nginx fairly easily using the LE beta system, it just doesn't have an auto installer like Apache.
>
>
>Hugh Rundle
>Systems and Resources Coordinator
>Libraries & Learning
>
>Brimbank City Council
>Sydenham Library - Station St Watergardens Town Centre Taylors Lakes Vic 3038
>
>T +61 3 9249 4170
>M +61 437 734 108
>F +61 3 9249 4351
>
>www.brimbank.vic.gov.au
>-----Original Message-----
>From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of Cary Gordon
>Sent: Saturday, 5 December 2015 5:52 AM
>To: [log in to unmask]
>Subject: Re: [CODE4LIB] Let's Encrypt public beta
>
>Nginx support is in progress and there is an “experimental” nginx tool available for Ubuntu 12.04+/ Debian 7+. Presumably, this is not ready for production.
>
>I was hoping that this would be further along by now, and we recently bought a three year wildcard cert subscription ($120), which is what we are recommending to out library clients at this time. Of course the cost of the cert is not really the issue. The problem that Let’s Encrypt will solve is the maintenance of the certs.
>
>Thanks,
>
>Cary
>
>> On Dec 4, 2015, at 9:06 AM, [log in to unmask] <[log in to unmask]> wrote:
>>
>> Like Cary said, it'll take some dedication to expand this to other
>> open web technologies. I'd love to see nginx support.
>>
>>
>> –Tod
>>
>> On Fri, Dec 4, 2015 at 7:56 AM, Cary Gordon <[log in to unmask]> wrote:
>>
>>> Great news if you are using Apache on Ubuntu 12.04+ or Debian 7+.
>>> Everything else will wait for someone to step up and build it.
>>>
>>> Thanks,
>>>
>>> Cary
>>>
>>>> On Dec 3, 2015, at 1:54 PM, Eric Hellman <[log in to unmask]> wrote:
>>>>
>>>> https://letsencrypt.org/2015/12/03/entering-public-beta.html <
>>> https://letsencrypt.org/2015/12/03/entering-public-beta.html>
>>>>
>>>> Remember, LE is designed for automation, so your big value-add will
>>>> be
>>> figuring out how to automate cert renewal on your platform.
>>>>
>>>>
>>>> Eric Hellman
>>>> President, Free Ebook Foundation
>>>> Founder, Unglue.it https://unglue.it/
>>>> https://go-to-hellman.blogspot.com/
>>>> twitter: @gluejar
>>>
>>
>>
>>
>> --
>> Tod Robbins
>> Digital Asset Manager, MLIS
>> todrobbins.com | @todrobbins <http://www.twitter.com/#!/todrobbins>
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
# run first: openssl dhparam -out /etc/nginx/dhparam.pem 2048
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
|