Let's Encrypt and Nginx

I’m late to the game, but I finally gave Let’s Encrypt a try and I love it. The biggest advantage is the fact that SSL certificates can be completely automated. No more remembering how to renew certificates once a year.

These are mostly just notes for my future use, but maybe it will be useful for somebody. This is how I use Let’s Encrypt with Nginx.

Install the letsencrypt client:

cd /opt
git clone https://github.com/letsencrypt/letsencrypt
VENV_PATH=/opt/letsencrypt/env/ /opt/letsencrypt/letsencrypt-auto plugins

Create a directory for the client to use for authorization:

mkdir -p /srv/www/letsencrypt

Then I put this into my nginx site config:

vim /etc/nginx/sites-enabled/example.com
location /.well-known/acme-challenge {
    root /srv/www/letsencrypt;
}
service nginx reload

That allows the letsencrypt client to manage authorization files for my domain. And now I can generate the first certificate:

/opt/letsencrypt/env/bin/letsencrypt certonly --webroot -w /srv/www/letsencrypt/ -d example.com,www.example.com

Hopefully, that should generate a certificate and I can put them into the HTTPS section of my nginx config:

vim /etc/nginx/sites-enabled/example.com
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
service nginx reload

And for the main benefit, I can now set up a cron job like this, that will make sure my certificates stay up to date:

10 20 * * * /opt/letsencrypt/env/bin/letsencrypt-renewer >/dev/null && service nginx reload >/dev/null