Setting up letsencrypt with nginx and Apache

Install certbot

Manual installation

Add backports to apt repositories, just add the next line to /etc/apt/sources.list.d/backports.list:

1
echo 'deb http://ftp.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/backports.list

Then update apt repositories:

1
apt update
1
apt-get install certbot -t jessie-backports

Using Ansible playbook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
- name: configure backports apt repository
apt_repository:
filename: backports
repo: "deb http://http.debian.net/debian jessie-backports main"
update_cache: yes
tags:
- apt
- backports
- name: Install certbot
apt:
name: certbot
update_cache: yes
default_release: jessie-backports
state: latest

Create the letsencrypt folder

1
mkdir -p /var/www/letsencrypt

Setting up webserver to serve .well-known verification requests

You have to redirect letsencrypt verification requests to proper folder in order to check the property of a domain.

Nginx

Just add this lines inside your server block:

1
2
3
4
5
6
7
8
server {
location /.well-known/acme-challenge/ {
allow all;
root /var/www/letsencrypt;
try_files $uri =404;
break;
}
}

Reload nginx to apply this changes:

1
service nginx reload

Apache

Add this lines to your vhost configuration file. It should be inside the <VirtualHost *:80> tag.

1
2
3
4
5
6
Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
Options None
AllowOverride None
ForceType text/plain
</Directory>

Reload apache to apply this changes:

1
service apache2 reload

Request your certificate

1
certbot certonly --webroot -w /var/www/letsencrypt/ -d your-domain.com --renew-by-default

Configure your web server to serve SSL

Nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem ;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
server_name your-domain.com;
location / {
# your location configuration as you usually do in listen 80 block
}
access_log /var/log/nginx/your-domain.com.access.log;
error_log /var/log/nginx/your-domain.com.error.log;
}

Restart nginx to apply the changes

(Optional) force http to be redirected to https

Just add this line inside server block which is listening to 80 port:

1
return 301 https://$server_name$request_uri;

Apache

Just add this block in the virtual host configuration file just next to the <VirtualHost *:80> block.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<VirtualHost *:443>
ServerName your-domain.com
DocumentRoot /your-web-document-root
<Directory /your-web-document-root>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
CustomLog /var/log/apache2/your-domain.com.access.log combined
ErrorLog /var/log/apache2/your-domain.com.error.log
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/your-domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/your-domain.com/fullchain.pem
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

Restart apache2 to apply the changes

Issues

failed (SSL: error:02001002:system library

Solution: It can be a permissions issue or mistyped directory.

Comments

⬆︎TOP