Hacker News new | past | comments | ask | show | jobs | submit login
How to use Let's Encrypt with multiple domains on Nginx on Ubuntu (johngibby.com)
58 points by adamnemecek on June 27, 2016 | hide | past | web | favorite | 18 comments



Why the server reboot after installing nginx?

More importantly, it should be safe to run the renew script once per month instead of once per day. Furtermore, I didn't check now but I seem to remember that Let's Encrypt limits the number of renewals in a period.


I like to reboot servers after upgrading / installing software so that everything I changed recently is fresh in my head. Otherwise, it could be 6-12 mos before a reboot is required and if something doesn't come up right, you may well not remember what has changed since the last working reboot...


I'm not sure about the first-party Let's Encrypt client, but letsencrypt.sh will check the dates and not bother to ask for a new certificate if the sertificate expires more than 30 days into the future. This way, if the Let's Encrypt servers are overloaded that day and not renewing certificates, the client will try once a day for a month before the certificate expires.


https://www.ssllabs.com/ssltest/analyze.html?d=johngibby.com You better check your SSL configuration


It's not as bad as it seems: SSL v3 is supported, but no cipher is supported for SSL v3... It should get a B instead of a C ;-)

(shameless plug: I used https://sslping.com and tried to understand why it didn't catch the SSLv3 problem: no cipher, so SSLv3 can't really be used. SSLPing doesn't test DH params length yet though)


Wrote something similar to that (for Gentoo but should work for others just fine) a few days ago. It scores A+ on SSLlabs and I used it to replace a wild card certificate so it's running everything for a bunch of domains.

https://blog.notmyhostna.me/lets-encrypt-with-auto-renewal-a...


Last time I tried this, I used Lego, which was very easy:

https://github.com/xenolf/lego

Does anyone know how long it will be since nginx gets native support for ACME, like Caddy has?


Still looks like a lot of files just to do "./opt/letsencrypt/letsencrypt-auto renew" Once a week (using cron) and restarting Nginx in case there is a new cert. Which is all you need really.

If Nginx would just start serving the new cert as soon as a new one is generated, that would be a nice feature and make things even less complicated (new cert is now the only reason to restart Nginx, apart from updates).


Reloading nginx works for certs. The tradeoff to "a lot of files" is that it doesn't need to be installed and it doesn't mess with your webserver configuration, which, if you're deploying things properly, will just get overwritten next time by your provisioning software.


Tip: there are ways to renew without running the standalone version (this means "host me a webserver to request my ssl") and thus not having to stop your http-server, but they require more work.


If you know how, please do tell or provide some pointers. It would be nice to set up at my site.


I use acme-tiny (with --acme-dir) and set up nginx to point the /.well-known/acme-challenge to a directory acme-tiny can write to. It should be possible to do reverse proxying with nginx for whatever web server hosts the acme challenges..


+1, if you have just one server, it's merely a matter of adding

  location /.well-known/acme-challenge/ {
      alias {directory};
      try_files $uri =404;
  }
to the Nginx config of each site, then having a script on cron that generates the csr and calls acme_tiny. It's fairly easy to set up and you can be reasonably sure it won't screw up your site if it fails for some reason.


Look for the "webroot" mode of the official client (or one of the other lightweight clients).

Example: https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc...



I currently have it hooked up into Ansible, which generate a cert automatically for each domain we load balance (in Haproxy). It works very well, although wildcards would be much nicer.


There is a typo in the title, can the mods please rename it to fix `Ubuntu`?


Sure.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: