Letsencrypt

Let's Encrypt certificates using LEGO

This post is more like a self-reminder on how I setup automatic SSL/TLS certificate renewal on my servers.

I chose LEGO to handle my certificates renewal with Let’s Encrypt because it’s simple to use, has no dependency, great documentation and is worked on at a constant pace.

I found this and this articles very useful, but they are outdated in their use of the tls and http parameters. So here are my notes.

This procedure is Debian GNU/Linux based but I also used it pretty much as-is on NetBSD and FreeBSD, only nginx related PATHs changed.

Read more…

Letsencrypt friendly nginx configuration

So I use this great cheat sheet in order to use letsencrypt free Certificate authority on my own servers, but while this small doc is very straightforward it doesn’t explain much about nginx’s configuration. So I’ll drop my own right here so your journey through TLS is even simpler:

$ cat /usr/pkg/etc/nginx/nginx.conf

# this nginx installation comes from pkgsrc for both Linux and NetBSD
# you might have to adapt paths to suit your needs... or switch to pkgsrc ;)

user   nginx  nginx;
worker_processes  2;

events {
    worker_connections  1024;
}

http {
    include       /usr/pkg/etc/nginx/mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    # a little bit of browser leverage doesn't hurt :)
    gzip  on;
    gzip_vary on;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
    gzip_proxied any;

    server {
        # serve boths IPv4 and IPv6 FWIW
        listen       [::]:80;
        listen       80;

        server_name  localhost example.com *.example.com;

        # this is where letsencrypt will drop the callenge
        location /.well-known/acme-challenge {
                default_type "text/plain";
                root /var/www/letsencrypt;
        }

        # redirect everything else to HTTPS
        location / { return 302 https://$host$request_uri; }
    }

    server {
        listen       [::]:443 ssl;
        listen       443 ssl;

        # you'll have to declare those domains accordingly in letsencrypt conf
        server_name  localhost example.com *.example.com;

        # here lies letsencrypt PEM files
        ssl_certificate      /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;

        # harden used protocols a little
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers  on;

        # and then include actual locations
        include sites/*;
    }
}

A very basic proxy_pass location would be:

Read more…