Skip to main content

Letsencrypt

SSL certificates made easy via the script acme.sh

Installation

Before Install

Setting up your server with a Let's Encrypt certificate is easy, though it does require a couple steps. We use the helper script acme.sh for domain verification and easy renewals.

First, you must have your own domain or a subdomain already pointed at the IP address of your server. (An A Record).

If you need a domain name, there are plenty of registrars, here are two that I personally use Namecheap; however, if you already own your domain, you can consider transferring it to CloudFlare to potentially save money.

If you are using the CloudFlare DNS option, you can use the DNS Verification method rather than the web-root verification method -- this method is a bit more resilient and less prone to future issues than the web-root error as domain verification doesn't take place on your server. If you have a CloudFlare proxy in front of your server (for instance), there can sometimes be issues with renewal which will cause it to fail. The DNS Verification should not fail where the web-root does.

If you'd like to use DNS verification for your CloudFlare domain, make sure you grab your API Key from your CloudFlare Profile (Profile > API Tokens > View Global API Key).

Warning

Make sure you keep your API Key safe -- it's as good as your password in terms of modifying the settings on your account.

Setting up Let's Encrypt

In order to start issuing a certificate use the command:

sudo box install letsencrypt

A dialog box will pop up and ask you the domain you'd like to secure with LE:

Enter domain name to secure with LE
docs.swizzin.ltd

And press enter. You'll be asked if you want to use this domain for your default site. If you say yes, the server_name variable in the default nginx configuration will be updated with the provided domain. If you say no, the script will issue a certificate, but not apply it.

You'll be asked if you want to use CloudFlare. If you choose "No", the installer will continue with the web-root (.well-known) domain verification. If you choose "Yes", you'll be asked for your CloudFlare email and API Key (don't worry, this will never leave your server -- the key is stored in /root/.acme.sh/account.conf for future renewals). After entering these details, the issuing will continue.

If everything goes well, acme.sh should declare success. If you reload your site, you should now be greeted by a valid SSL certificate, rather than a warning about invalid SSL.

Install options

You can set these variables before running the script to skip the interactive questions. You can also use this in the Advanced setup.

Please note that we did not have a chance to test these values extremely thoroughly, let us know if something is not functioning as expected hen using these

  • LE_hostname
    • e.g. domain.tld
    • Default: Interactive
  • LE_defaultconf
    • Whether or not to install the cert into nginx's default.conf
    • Options: yes or no
    • Default: Interactive
  • LE_bool_cf
    • Used to specify whether or not to enable the CloudFlare portion of the script
    • Note setting other cf options mentioned below sets this to yes. Set this to no if you want to skip the cloudflare questions.
    • Options: yes or no
    • Default: Interactive
  • LE_cf_email
    • Default: Interactive
  • LE_cf_api
    • Default: Interactive
  • LE_cf_zoneexists
    • Note setting LE_cf_zone option implies this to no. Set this to yes if your zone already exists.
    • Options: yes or no
    • Default: Interactive
  • LE_cf_zone
    • Default: Interactive

Renewals

Renewals are handled automatically via the cronjob that acme.sh installs during the initial run. If your server is configured correctly, you shouldn't have to worry about future renewals.

Changing domains (or adding secondaries)

If you decide you've outgrown your old domain or want to update your domain, simply run the script again with:

sudo box install letsencrypt

There are no lock files associated with the LE script, so it can be run as many times as you like to issue certificates for as many domains as you desire.

Certificate and Install Locations

By default, the configuration files for acme.sh reside in:

/root/.acme.sh

This folder contains "account" information and domains currently configured via acme.sh.

SSL certificates are "installed" into your nginx directory as well and this is the location you should use with your scripts when configuring where the certificates are located on your machine:

/etc/nginx/ssl/<hostname.ltd>