How to: Install Let’s Encrypt certificates

rgarrigue · June 22, 2016, 9:06pm

Hi

For information, I followed those step using the new letsencrypt script, certbot

/etc/ssowat/conf.json.persistent is

{
    "redirected_urls": {},
    "unprotected_urls" : [ 
        "my.domain/.well-known/acme-challenge" 
    ]
}

/etc/nginx/conf.d/my.domain.d/certbot.conf is

location '/.well-known/acme-challenge' {
    default_type "text/plain";
    root        /etc/letsencrypt/webroot;
}

Then rougthly

sudo su
apt-get install certbot -t jessie-backports -y
mkdir /etc/letsencrypt/webroot
service nginx restart
cd /etc/yunohost
cp -r certs certs.backup
certbot certonly -d my.domain
# webroot into /etc/letsencrypt/webroot
cd /etc/yunohost/certs/my.domain
rm crt.pem key.pem
ln -sf /etc/letsencrypt/live/my.domain/privkey.pem key.pem
ln -sf /etc/letsencrypt/live/my.domain/fullchain.pem crt.pem
chown root:metronome /etc/letsencrypt/live /etc/letsencrypt/archive
chmod g+rx /etc/letsencrypt/live /etc/letsencrypt/archive

Last is automatical renewal with /etc/systemd/system/letsencrypt.service

[Unit]
Description=Renews letsencrypt certificates with certbot
After=network.target

[Service]
Type=oneshot
WorkingDirectory=/etc/letsencrypt
ExecStart=/usr/bin/certbot renew

And a timer /etc/systemd/system/letsencrypt.timer

[Unit]
Description=letsencrypt timer

[Timer]
OnCalendar=daily  
Persistent=true  
Unit=letsencrypt.service

[Install]
WantedBy=basic.target

Last but not least, you need to reload nginx after a certificate renewal

mkdir /etc/systemd/system/letsencrypt.service.d

And /etc/systemd/system/letsencrypt.service.d/nginx.conf

[Service]
ExecStartPost=/bin/systemctl reload nginx

A simple test

date
systemctl restart letsencrypt.service
journalctl -xn

Here’s my result

mercredi 22 juin 2016, 23:00:29 (UTC+0200)
juin 22 23:01:17 yunohost.my.domain certbot[17723]: -------------------------------------------------------------------------------
juin 22 23:01:17 yunohost.my.domain certbot[17723]: Processing /etc/letsencrypt/renewal/my.domain.conf
juin 22 23:01:17 yunohost.my.domain certbot[17723]: -------------------------------------------------------------------------------
juin 22 23:01:17 yunohost.my.domain certbot[17723]: The following certs are not due for renewal yet:
juin 22 23:01:17 yunohost.my.domain certbot[17723]: /etc/letsencrypt/live/my.domain/fullchain.pem (skipped)
juin 22 23:01:17 yunohost.my.domain certbot[17723]: No renewals were attempted.

Thanks @CaptainSqrt2 for the steps, this article for the systemd stuff and letsencrypt