
Using Free SSL/TLS Certificates from Let’s Encrypt for Nginx - cujanovic
https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
======
pilif
The official let's encrypt client is very heavy-weight. In my case I've build
a much simpler thing using acmetool
([https://github.com/hlandau/acme](https://github.com/hlandau/acme)) which is
mcuh simpler to use and nicely runs without root rights.

In my case, a lot of the routing of domains to customers is stored in a
postgres database and a trigger fires an event anyways, so I have a little
daemon that listens to these events and the fires off acmetool as needed in
order go generate certificates.

I just completed this last week, so when I've seen this article here, I
thought that I just wasted some time over this because now there's an
integrated nginx solution, but thankfully, this is just an article about doing
what I was doing using a tool that's more complicated to use and brings half
of an OS installation as dependencies.

For those interested,
[https://gist.github.com/pilif/1e2610dd7aa57323e0b2](https://gist.github.com/pilif/1e2610dd7aa57323e0b2)
is the script in question. It's really a quick hack, but it works very well
for me to auto-create nginx config files.

~~~
hlandau
I'm the author of acmetool.

It's quite interesting to know that people are using the design to its full
potential. Ideally, I should probably make something more library/daemon-based
for these largescale, custom solutions, though of course I'd like to do it
some manner of modular way that allows the existing codebase to be leveraged.
For the time being only the acmeapi package within acmetool is stable and
suitable for use by other libraries. Something to think about...

~~~
pilif
For me, the current interface is perfect (though I wouldn't call our usage
large-scale by a long shot), though it would be even better if acmetool would
indicate using the exit code whether the web server needs restarting or not
after reconciliation.

I know there are the hooks and that's what I'm using now, but if I could get a
distinct exit code to tell me that changes happened to the certificate store,
then I could get away without needing to also keeping the hooks around.

That said, this should probably be on your github issues, not in here. That
also said: This was such a small issue for me that I didn't even want to
bother you - but as you're coming here to post, I guess it doesn't hurt :p

~~~
hlandau
I can't use the exit code, because a nonzero exit code by UNIX convention
indicates failure, which will spam people in their cron jobs. There's only one
exit code which conventionally means 'success'.

I could modify acmetool to output a word 'NEEDS-RELOADING' or something, which
you could grep for programmatically. But this is another option (it would have
to be an option; any output from acmetool is liable to get e. mailed to people
via cron) for something which can be, as you yourself admit, dealt with as
well via hooks. And probably more robustly, too. So on balance, I don't think
it's worth doing.

------
IgorPartola
I was hoping this was an nginx module where you could specify something like
`ssl_letsencrypt on;` and be done with it.

~~~
joshmanders
Caddy has this feature and it's amazing.
[https://caddyserver.com/docs/automatic-
https](https://caddyserver.com/docs/automatic-https)

~~~
pilif
_this_ is how it should work. Very nice. I can't wait for other web servers to
gain this ability too. Or at least allow us to load certificates from dynamic
locations based on some request data.

All other web servers I looked at (nginx, apache, lighttpd) still require at
least a reload for an updated certificate and a configuration file change for
a new certificate to be used.

I wonder how caddy works with the very low 5 certificates per public suffix
and week limit. Does it automatically bundle domains and request a single
certificate with SANs?

~~~
jimjag
From what I can see, Caddy also does a reload. With Apache, you can do a
Graceful restart and not lose any traffic, plus, using mod_lua you could
create a relatively easy way to add this automagically.

~~~
pilif
nginx you can also reload gracefully using the same mechanism. Still. It would
be cool if it wasn't needed. I mean - you don't normally restart web servers
when a file in the document root changes - why would you still have to do this
for changes to SSL certs.

(note: I know that these are two very different things and I know how
complicated it is to get all that state correct and to properly re-initialize
the SSL context - still, as certificates get more and more short-lived, this
would be a cool thing to have)

~~~
mholt
FWIW, Caddy's next version will be able to update the certs without reloading
at all.

------
uhoreg
I wrote up my own HOWTO for nginx just the other
day.[https://www.uhoreg.ca/blog/20160218-1757](https://www.uhoreg.ca/blog/20160218-1757)
I used the acme-tiny client instead of the official client. My post is mostly
aimed at Debian-based distributions, but should be easily adaptable to others.

------
ceejayoz
Has anyone found a good tutorial for DNS-based verification of a Let's Encrypt
certificate? It'd simplify life greatly for those of us with multi-server
clusters behind an Amazon ELB or something similar.

~~~
yoo1I
Not a tutorial, but I was having trouble with that damn 'official' Letsencrypt
client and the complexity of adding a .wellknown directory on _every_ site I
needed a certificate for.

So I saw the light in the form of a bash-script [0], wrote a short hookscript,
and now I can centrally manage through DNS.

There are a couple of example scripts [1], and it really simple to write your
own.

[0]
[https://github.com/lukas2511/letsencrypt.sh](https://github.com/lukas2511/letsencrypt.sh)

[1] [https://github.com/lukas2511/letsencrypt.sh/wiki/Examples-
fo...](https://github.com/lukas2511/letsencrypt.sh/wiki/Examples-for-
DNS-01-hooks)

------
realusername
Here is my Nginx config for let's encrypt on my case, feel free to criticize
or copy it: [https://gist.github.com/alex-
min/158f35f604b24e163ae9](https://gist.github.com/alex-
min/158f35f604b24e163ae9). I've managed to get a A+ on the ssllab test so it
should not be too bad I believe (but I'm not an expert so if you have some
idea for improvements, I would be glad).

~~~
nickik
You should also add HPKP (leaf pinning), it insanly powerful and a challange
to get right. I have not figured out why the damn ssllabs complains about it
to me.

~~~
tombrossman
I have the same problem, if I use one of the HPKP generators (or copy-paste a
'correct' example & substitute my cert hashes) I always get the SSL Labs
error. Everything else is perfect. Depending on what guide I follow, I get
Nginx errors, SSL Labs errors, or other third-party test errors. Never a
consensus, which is what I would expect once everything is 100% correct.

I'll have to set aside a few more hours to figure this out soon. Even good
documentation like this is not working for me:
[https://developer.mozilla.org/en-
US/docs/Web/Security/Public...](https://developer.mozilla.org/en-
US/docs/Web/Security/Public_Key_Pinning)

------
dizzystar
How ironic. I just added https to my site and was searching for a solution to
this problem. I ended up using certonly --standalone as described here and it
worked like a charm: [https://www.digitalocean.com/community/tutorials/how-to-
secu...](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-
with-let-s-encrypt-on-ubuntu-14-04)

~~~
herbst
I ended up still buying my certs because no solution seemed like something i
should and could easily automate :/

------
planetjones
I tried using the official encrypt client on my low spec VPS this weekend
(cent os 6). It wouldn't install as when compiling it runs out of memory. Why
so heavyweight. Luckily I found a python script which uses the acme tools
stuff and that worked fine. Maybe providing binaries would be another option
so I don't have to compile everything myself.

~~~
majewsky
What were you compiling? The official client is written in Python.

~~~
planetjones
The letscrypt auto thing.

~~~
rorosaurus
Yeah, their documentation isn't very clear that auto actually compiles a bunch
of stuff on the fly for you. I ran into the same issue as you with my low-spec
VPS as well. You can either add some swap space, or run just "letsencrypt
-certonly" and skip the auto junk, but it sounds like you did that with the
acme client already. :) I've got an open issue on their github page to try and
clarify the memory requirements for low-spec VPS..

------
mark_l_watson
Thanks for the article and the other discusions, especially the pointers to
Caddy.

I have been using Cloudflare for https for my main site only and have been
deciding whether to use Cloudflare for everything or bite the bullet and set
up my own https.

~~~
newman314
You should do both.

HTTPS from user to CF HTTPS from CF to your site

------
andmarios
I've made an ansible role for deploying many sites from one nginx instance
with automatic issuing and renewal of let's encrypt certificates.

It would be accompanied by a blog post to explain how things work but got busy
on other fronts.

If anyone's interested, it's at
[https://github.com/Landoop/ansible](https://github.com/Landoop/ansible)

------
benileo
I had to add some extra nginx config to make this work ssl_protocols TLSv1
TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers
'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

