Hi everyone and happy 2016.
I thought it would be prudent to share this - OFN South Africa is now making use of this open source SSL signing service.
Lawrence
2 Likes
Happy 2016! Itās great to see Letās Encrypt taking off and I anticipate weāll switch to it when our current certificates expire.
2 Likes
Update August 2016: The letsencrypt client is now called certbot and is a bit easier to use. https://certbot.eff.org/
Since the letsencrypt client needs root privileges, I did all the following as root (sudo su -).
Install letsencrypt
mkdir -p /root/bin
cd /root/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
/root/bin/certbot-auto
Configure Nginx
Edit your Nginx configuration, for example /etc/nginx/sites-available/openfoodnetwork. Add the following lines to your server config:
# letsencrypt validation folder
# Do not use a /tmp folder or other users can obtain certificates.
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /etc/letsencrypt/webrootauth;
}
If you have an SSL certificate already and there is a redirect to https in your config, place these line after the redirect end the end of the āserverā block.
Then reload: service nginx reload
Obtain the first certificate
/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/etc/letsencrypt/webrootauth --email admin@openfoodnetwork.example.org --text --agree-eula --agree-tos -d openfoodnetwork.example.org
Install first certificate
Edit your Nginx configuration again.
ssl_certificate /etc/letsencrypt/live/openfoodnetwork.example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/openfoodnetwork.example.org/privkey.pem;
After reloading service nginx reload you should have a valid SSL setup.
Automatic renewal
Test renewal with: /root/bin/certbot-auto renew --dry-run
If that is successful, you can configure cron to check for renewals every day:
echo '#!/bin/sh
/root/bin/certbot-auto renew \
--quiet --no-self-upgrade \
--post-hook "/usr/sbin/service nginx reload"
' > /etc/cron.daily/certbot
chmod +x /etc/cron.daily/certbot
You are done.
1 Like
Thanks @maikel for the detailed instructions - I agree it would be great to have these steps automated.
1 Like
Took me a minute to figure it out, as was used to using the ofn_deployment method of creating the files locally.
The --agree-eula flag doesnāt seem to be supported and more.
This is the command that ultimately worked:
/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/etc/letsencrypt/webrootauth \
--email admin@openfoodnetwork.example.org --text --agree-eula --agree-tos -d \
openfoodnetwork.example.org
certonly --webroot \
--webroot-path /var/www/example --renew-by-default --email \
example@example.org --text --agree-tos --agree-dev-preview -d \
site.example.org -d site.example.org
Got some Help from Letās Encrypt Forum.
This is the configuration that worked for me:
server {
listen 80;
server_name www.mydomain.org mydomain.org;
# Do not use a /tmp folder or other users can obtain certificates.
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /etc/letsencrypt/webrootauth;
}
location / {
rewrite ^/(.*) https://mydomain.org/$1 permanent;
}
}@pmackay possibly if we alter the vhost.js file something along the lines of
server {
listen 80;
{% if protocol == 'https' %}
server_name www.{{ domain }} {{ domain }};
# letsencrypt validation folder
# Do not use a /tmp folder or other users can obtain certificates.
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /etc/letsencrypt/webrootauth;
}
{% else %}
server_name www.{{ domain }};
{% endif %}
listen / {
rewrite ^/(.*) {{ protocol }}://{{ domain }}/$1 permanent;
}
}
And nginx_unicorn.j2:
`server {
listen 80;
{% if protocol == āhttpsā %}
server_name www.{{ domain }} {{ domain }};
letsencrypt validation folder
# Do not use a /tmp folder or other users can obtain certificates.
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /etc/letsencrypt/webrootauth;
}
{% else %}
server_name www.{{ domain }};
{% endif %}
listen / {
rewrite ^/(.*) https://staging.usfoodcoop.org/$1 permanent;
}
}`
removing the include {{ app }}_ssl; lines.
Iām still fairly unclear on all of the installation steps as far as Ansible goes in terms of when and how the nginx config files get written and maybe rewritten.
I see thereās an Ansible-galaxy role that installs acme-tiny.
Update:
Have to add the string ssl after 443:
ssl_certificate /etc/letsencrypt/live/mydomain.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.org/privkey.pem;
server {
listen 443 ssl;
#etc...@MikeiLL do you now have LetsEncrypt working on the US staging?
Oh yes. LetsEncrypt is happilly chugging along and I have documented the process. Also I noticed that it appears another Ansible/Vagrant library Iām working with for Wordpress sites is configuring LetsEncrypt as part of the Deploy. https://roots.io/trellis-adds-lets-encrypt-integration/ So there might be some good reference material there.
Cool! Just to clarify, is the documentation your posts above? Have you modified any ansible scripts to enable this, or simply edited files on the server?
Documentation is on my weblog, which includes the Letās Encrypt process. If I had made any modifications to the Ansible scripts they are not PR-ready. This is a link to my nginx config file that seems to have worked: https://gist.github.com/MikeiLL/f7fdceb1a2c986bbccc1e016e93d2727
Great! FYI, Iām deep in the middle of more improvements to the ansible scripts to automate letsencrypt and a few other bits. Will post branch when Iāve pushed changes.
https://staging2.openfoodnetwork.org.uk/ has just been built to do that in completely automated way. So making some progress.
1 Like