Hi
For information, I followed those step using the new letsencrypt script, certbot
/etc/ssowat/conf.json.persistent is
{
"redirected_urls": {},
"unprotected_urls" : [
"my.domain/.well-known/acme-challenge"
]
}
/etc/nginx/conf.d/my.domain.d/certbot.conf is
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /etc/letsencrypt/webroot;
}
Then rougthly
sudo su
apt-get install certbot -t jessie-backports -y
mkdir /etc/letsencrypt/webroot
service nginx restart
cd /etc/yunohost
cp -r certs certs.backup
certbot certonly -d my.domain
# webroot into /etc/letsencrypt/webroot
cd /etc/yunohost/certs/my.domain
rm crt.pem key.pem
ln -sf /etc/letsencrypt/live/my.domain/privkey.pem key.pem
ln -sf /etc/letsencrypt/live/my.domain/fullchain.pem crt.pem
chown root:metronome /etc/letsencrypt/live /etc/letsencrypt/archive
chmod g+rx /etc/letsencrypt/live /etc/letsencrypt/archive
Last is automatical renewal with /etc/systemd/system/letsencrypt.service
[Unit]
Description=Renews letsencrypt certificates with certbot
After=network.target
[Service]
Type=oneshot
WorkingDirectory=/etc/letsencrypt
ExecStart=/usr/bin/certbot renew
And a timer /etc/systemd/system/letsencrypt.timer
[Unit]
Description=letsencrypt timer
[Timer]
OnCalendar=daily
Persistent=true
Unit=letsencrypt.service
[Install]
WantedBy=basic.target
Last but not least, you need to reload nginx after a certificate renewal
mkdir /etc/systemd/system/letsencrypt.service.d
And /etc/systemd/system/letsencrypt.service.d/nginx.conf
[Service]
ExecStartPost=/bin/systemctl reload nginx
A simple test
date
systemctl restart letsencrypt.service
journalctl -xn
Here’s my result
mercredi 22 juin 2016, 23:00:29 (UTC+0200)
juin 22 23:01:17 yunohost.my.domain certbot[17723]: -------------------------------------------------------------------------------
juin 22 23:01:17 yunohost.my.domain certbot[17723]: Processing /etc/letsencrypt/renewal/my.domain.conf
juin 22 23:01:17 yunohost.my.domain certbot[17723]: -------------------------------------------------------------------------------
juin 22 23:01:17 yunohost.my.domain certbot[17723]: The following certs are not due for renewal yet:
juin 22 23:01:17 yunohost.my.domain certbot[17723]: /etc/letsencrypt/live/my.domain/fullchain.pem (skipped)
juin 22 23:01:17 yunohost.my.domain certbot[17723]: No renewals were attempted.
Thanks @CaptainSqrt2 for the steps, this article for the systemd stuff and letsencrypt