I’ve been interested in the Lets Encrypt project since I first heard about it, quite some time ago. It’s a cool idea, automatic free certificates for everyone! I’ve been using startcom for the majority of my personal sites, minus swbcrawler, which I purchased a cheap commercial cert for. A few months back, Lets Encrypt finally opened up for publi use, and I giave it a little poke. I didn’t end up putting any of its certs live at the time though.
Well, June 1st my startcom certs all expired, and it was time to renew. This was just enough motivation to get me to give Lets encrypt another go.
Let’s Encrypt has a command line tool, which, if done right, automatically verifies your site, and gets you a Lets Encrypt signed certificate. It even puts it in place for you. All you have to do is configure your web server to use it and you’re done! It also only issues 3 month certs though. Renewal can be automated, so that’s a requirement for me. It can integrate with Apache, but I moved to an NGINX reverse http proxy a while back, so I needed it to run there. It also has some dependencies that are hard to come by on RHEL/CentOS 6, so I was held back by the version of OS i was running. Well I recently build a new Proxy on CentOS 7, so I was all set.
A quick google search found me someone elses instructions on how to get Lets Encrypt going with NGINX, of course, he was on Ubuntu. Isn’t everybody? This isn’t the first time I’ve had ot translate an ubuntu setup to a RHEL setup, so I found it informative enough to get me rolling. Here are my adapted directions. Please, read over his linked article for reference.
First, you need EPEL, you can get it from their site, OR just install it like this.
# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# yum install certbot Loaded plugins: fastestmirror ... Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: certbot noarch 0.6.0-2.el7 epel 15 k Installing for dependencies: pyOpenSSL x86_64 0.13.1-3.el7 base 133 k python-cffi x86_64 0.8.6-2.el7 base 131 k python-chardet noarch 2.2.1-1.el7_1 base 227 k python-cryptography x86_64 0.8.2-1.el7 base 435 k python-enum34 noarch 1.0.4-1.el7 base 52 k python-ndg_httpsclient noarch 0.3.2-1.el7 epel 43 k python-parsedatetime noarch 1.5-3.el7 epel 61 k python-ply noarch 3.4-10.el7 base 123 k python-psutil x86_64 2.2.1-1.el7 epel 114 k python-pyasn1 noarch 0.1.6-2.el7 base 91 k python-pycparser noarch 2.14-1.el7 base 104 k python-requests noarch 2.6.0-1.el7_1 base 94 k python-six noarch 1.9.0-2.el7 base 29 k python-urllib3 noarch 1.10.2-2.el7_1 base 100 k python-zope-component noarch 1:4.1.0-1.el7 epel 110 k python-zope-event noarch 4.0.3-2.el7 epel 79 k python-zope-interface x86_64 4.0.5-4.el7 base 138 k python2-acme noarch 0.6.0-1.el7 epel 161 k python2-certbot noarch 0.6.0-2.el7 epel 334 k python2-configargparse noarch 0.10.0-1.el7 epel 28 k python2-dialog noarch 3.3.0-6.el7 epel 94 k python2-mock noarch 1.0.1-9.el7 epel 92 k python2-pyrfc3339 noarch 1.0-2.el7 epel 13 k pytz noarch 2012d-5.el7 base 38 k Transaction Summary ================================================================================ Install 1 Package (+24 Dependent packages)
I added this to the http and https versions of my host:
location /.well-known/ { allow all; root /var/lib/nginx/undrground-wellknown; }
Then created /var/lib/nginx/undrground-wellknown, and restorecon-vFR’d it. My selinx policy already treats /var/lib/nginx as the web tree for nginx. This is apparently the default in RHEL/CentOS.
Once that is done, test your nginx config, and reload. You should now have a .well-known folder under your domain. It’s empty of course.
Now run the lets encrypt client. On the first run it will install a bunch of dependencies and get things setup. After that, it’s pretty speedy.
# /bin/certbot certonly -a webroot --webroot-path=/var/lib/nginx/undrground-wellknown/ -d undrground.org -d www.undrground.org
ssl_certificate /etc/letsencrypt/live/undrground.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/undrground.org/privkey.pem;
#!/bin/bash /bin/certbot renew TEST=`find /etc/letsencrypt/live` if [ "$TEST" ] then systemctl reload nginx fi
# certbot renew –post-hook=”systemctl reload nginx”