SSL configuration for Nginx server with Let’s Encrypt (certbot-auto deprecated)

Recently, with 1.10.0 release, certbot-auto was deprecated. That was an easy way to automatically get and renew certifications from Let’s Encrypt. Now there are different ways to do this task.

First way is to install certbot with snapd. But you can install snapd only on actual OS releases (like “buster” 10.0 for Debian). If you have earlier versions of OS, you can use the second way, which I will explain below.

Acme.sh

Acme.sh is a script written in Shell language, with no dependencies on python or the official Let’s Encrypt client. It supports ACME protocol and is simple to use for issue, renew and install certificates automatically.

Install

First, get the script:

curl https://get.acme.sh | sh

Or:

wget -O -  https://get.acme.sh | sh

After installation the script will add a cron job, for certs renew automation.

Get the cert

As we have nginx as our webserver, let’s get our cert for a domain:

acme.sh --issue --nginx -d example.com --webroot /var/www/www-root/data/www/example.com/

–nginx command means that acme.sh will change example.com conf file and adds acme challenge folder in it. This nginx mode is only to issue the cert, it will not change your nginx config files.

You can do it manually and add this code in your domain nginx conf file, in server section:

location ^~ /.well-known/acme-challenge/ {
			allow all;
			root /var/www/www-root/data/www/example.com;
}

We tell nginx to redirect all requests from /.well-known/acme-challenge/ to defined root path, in which acme.sh will generate acme challenge file.

There may be a problem on this step, especially if you used old certbot-auto script. I faced a 404 error, when external response couldn’t reach acme challenge file. The problem was in included letsencrypt.conf file, which contained another “/.well-known/acme-challenge/” directive. After deleting this line, I got 200 response with acme challenge.

Anyway, if you see this:

Verify error:Invalid response from http://example.com/http://my-domain.ru/.well-known/acme-challenge/some-random-letters

Then you really need to dig into your nginx conf, see if “/.well-known/acme-challenge/some-random-letters” is accessible through web.

Install the cert to Nginx

After the cert is generated, we need to copy certs from ~/.acme.sh/example.com to /etc/nginx/certs/example.com folder. You can use another folder, if you want. The certs files in ~/.acme.sh/ folder are for internal use only, so the copy is a must.

acme.sh --install-cert -d example.com \
--key-file       /etc/nginx/certs/example.com/example.com.key  \
--fullchain-file /etc/nginx/certs/example.com/example.com.cer \
--reloadcmd     "service nginx force-reload"

example.com.key is your key file
example.com.cer is your certificate file

Configure nginx conf file

Now its time to configure domain conf file with a new certs. Add this in your server section with 403 port:

server {
...
	ssl_certificate "/etc/nginx/certs/example.com/example.com.cer";
	ssl_certificate_key "/etc/nginx/certs/example.com/example.com.key";
...
}

Restart nginx and your are done:

service nginx restart
  •  
  •  
  •  
  •  
  •  
  •