
How to use Let's Encrypt with multiple domains on Nginx on Ubuntu - adamnemecek
https://johngibby.com/blog/How_to_use_LetsEncrypt_with_Multiple_Domains_on_Nginx_and_Ubuntu
======
pmontra
Why the server reboot after installing nginx?

More importantly, it should be safe to run the renew script once per month
instead of once per day. Furtermore, I didn't check now but I seem to remember
that Let's Encrypt limits the number of renewals in a period.

~~~
adiabatty
I'm not sure about the first-party Let's Encrypt client, but letsencrypt.sh
will check the dates and not bother to ask for a new certificate if the
sertificate expires more than 30 days into the future. This way, if the Let's
Encrypt servers are overloaded that day and not renewing certificates, the
client will try once a day for a month before the certificate expires.

------
Padrio
[https://www.ssllabs.com/ssltest/analyze.html?d=johngibby.com](https://www.ssllabs.com/ssltest/analyze.html?d=johngibby.com)
You better check your SSL configuration

~~~
weddpros
It's not as bad as it seems: SSL v3 is supported, but no cipher is supported
for SSL v3... It should get a B instead of a C ;-)

(shameless plug: I used [https://sslping.com](https://sslping.com) and tried
to understand why it didn't catch the SSLv3 problem: no cipher, so SSLv3 can't
really be used. SSLPing doesn't test DH params length yet though)

------
dewey
Wrote something similar to that (for Gentoo but should work for others just
fine) a few days ago. It scores A+ on SSLlabs and I used it to replace a wild
card certificate so it's running everything for a bunch of domains.

[https://blog.notmyhostna.me/lets-encrypt-with-auto-
renewal-a...](https://blog.notmyhostna.me/lets-encrypt-with-auto-renewal-and-
nginx/)

------
StavrosK
Last time I tried this, I used Lego, which was very easy:

[https://github.com/xenolf/lego](https://github.com/xenolf/lego)

Does anyone know how long it will be since nginx gets native support for ACME,
like Caddy has?

~~~
teekert
Still looks like a lot of files just to do "./opt/letsencrypt/letsencrypt-auto
renew" Once a week (using cron) and restarting Nginx in case there is a new
cert. Which is all you need really.

If Nginx would just start serving the new cert as soon as a new one is
generated, that would be a nice feature and make things even less complicated
(new cert is now the only reason to restart Nginx, apart from updates).

~~~
StavrosK
Reloading nginx works for certs. The tradeoff to "a lot of files" is that it
doesn't need to be installed and it doesn't mess with your webserver
configuration, which, if you're deploying things properly, will just get
overwritten next time by your provisioning software.

------
Qantourisc
Tip: there are ways to renew without running the standalone version (this
means "host me a webserver to request my ssl") and thus not having to stop
your http-server, but they require more work.

~~~
krkoch
If you know how, please do tell or provide some pointers. It would be nice to
set up at my site.

~~~
loonattic
I use acme-tiny (with --acme-dir) and set up nginx to point the /.well-
known/acme-challenge to a directory acme-tiny can write to. It should be
possible to do reverse proxying with nginx for whatever web server hosts the
acme challenges..

~~~
icebraining
+1, if you have just one server, it's merely a matter of adding

    
    
      location /.well-known/acme-challenge/ {
          alias {directory};
          try_files $uri =404;
      }
    

to the Nginx config of each site, then having a script on cron that generates
the csr and calls acme_tiny. It's fairly easy to set up and you can be
reasonably sure it won't screw up your site if it fails for some reason.

------
dawnerd
I like using this: [https://github.com/JrCs/docker-letsencrypt-nginx-proxy-
compa...](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion)

Works like a charm

------
timonv
I currently have it hooked up into Ansible, which generate a cert
automatically for each domain we load balance (in Haproxy). It works very
well, although wildcards would be much nicer.

------
aksx
There is a typo in the title, can the mods please rename it to fix `Ubuntu`?

~~~
dang
Sure.

