Display profile image

Duncan Leo

Setting up Nginx and LetsEncrypt

nginx lets encrypt

Here are instructions on setting up Nginx with Let’s Encrypt (LE) certs on both Arch Linux and Ubuntu.

Install the software

Ubuntu:

$ apt-get install nginx letsencrypt

Arch:

$ pacman -S nginx certbot

Next, make a directory in /etc/nginx called letsencrypt. It will serve as a temporary directory for LE to validate that you own the domain you’re getting a certificate for.

After that, include the following in your Nginx configuration. It enables Nginx to serve a special route for LE.

server {
  listen 80;

  location / {
	return 301 https://$host$request_uri;
  }

  location '/.well-known/acme-challenge' {
    root /etc/nginx/letsencrypt;
    default_type "text/plain";
  }
}

Once it is saved and enabled, do this to reload Nginx:

$ systemctl reload nginx

Get certificates!

It’s now time to obtain certificates. The following command shows the new version of LE’s binary, called certbot. Some distros like Ubuntu still use the older binary called letsencrypt, but both work the same for this scenario.

$ certbot certonly --webroot -w /etc/nginx/letsencrypt -d YOUR_TARGET_DOMAIN

Using the certificates

Here’s a sample Nginx config that shows how to use the newly-obtained certificates:

server {
  listen 443 ssl;
  
  ssl_certificate /etc/letsencrypt/live/YOUR_TARGET_DOMAIN/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/YOUR_TARGET_DOMAIN/privkey.pem;
  
  location / {
  	root /var/www/html;
      index index.html index.htm;
  }
}

Auto-renewal

There are two ways of having your certificates automatically renewed. Both rely on calling the LE binary to renew every once in a while. When that happens, the LE binary will not create a new certificate if the current one has not expired yet.

As always, swap certbot out for letsencrypt if that’s what your distro has available.

Systemd

This method can be used on both Linux distros. We’re going to be creating service files in /etc/systemd/system. These service files also include commands to restart Nginx so that it’ll begin using the new certificate.

  1. Create certbot-nginx.service and enter the following:
[Unit]
Description=Renew Certbot certificate (nginx)
After=network-online.target

[Service]
Type=oneshot
ExecStartPre=/usr/bin/systemctl stop nginx
ExecStart=/usr/bin/certbot renew --standalone --keep-until-expiring
ExecStartPost=/usr/bin/systemctl --no-block start nginx
  1. Create certbot-nginx.timer and enter the following:
[Unit]
Description=Renew Certbot certificate (nginx)

[Timer]
OnCalendar=monthly
Persistent=true

[Install]
WantedBy=multi-user.target

Then, enable the service as follows:

$ systemctl enable certbot-nginx.timer
$ systemctl start certbot-nginx.timer

That’s all! This will renew your certificates every month, which will ensure they are always valid.

Cron

This method can be used on Ubuntu.

Start up the cron editor:

$ crontab -e

Enter the following as a new line at the end of the file:

30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log

This calls the LE binary to renew every month and append its log output to le-renew.log.