Letsencrypt
SSL certificates made easy via the script acme.sh
Installation
Before Install
Setting up your server with a Let's Encrypt certificate is easy, though it does require a couple steps. We use the helper script acme.sh for domain verification and easy renewals.
First, you must have your own domain or a subdomain already pointed at the IP address of your server. (An A Record
).
If you need a domain name, there are plenty of registrars, here are two that I personally use Namecheap; however, if you already own your domain, you can consider transferring it to CloudFlare to potentially save money.
If you are using the CloudFlare DNS option, you can use the DNS Verification method rather than the web-root verification method -- this method is a bit more resilient and less prone to future issues than the web-root error as domain verification doesn't take place on your server. If you have a CloudFlare proxy in front of your server (for instance), there can sometimes be issues with renewal which will cause it to fail. The DNS Verification should not fail where the web-root does.
If you'd like to use DNS verification for your CloudFlare domain, make sure you grab your API Key from your CloudFlare Profile (Profile > API Tokens > View Global API Key
).
Make sure you keep your API Key safe -- it's as good as your password in terms of modifying the settings on your account.
Setting up Let's Encrypt
In order to start issuing a certificate use the command:
sudo box install letsencrypt
A dialog box will pop up and ask you the domain you'd like to secure with LE:
Enter domain name to secure with LE
docs.swizzin.ltd
And press enter. You'll be asked if you want to use this domain for your default site. If you say yes, the server_name
variable in the default nginx configuration will be updated with the provided domain. If you say no, the script will issue a certificate, but not apply it.
You'll be asked if you want to use CloudFlare. If you choose "No", the installer will continue with the web-root (.well-known) domain verification. If you choose "Yes", you'll be asked for your CloudFlare email and API Key (don't worry, this will never leave your server -- the key is stored in /root/.acme.sh/account.conf
for future renewals). After entering these details, the issuing will continue.
If everything goes well, acme.sh should declare success. If you reload your site, you should now be greeted by a valid SSL certificate, rather than a warning about invalid SSL.
Install options
You can set these variables before running the script to skip the interactive questions. You can also use this in the Advanced setup.
Please note that we did not have a chance to test these values extremely thoroughly, let us know if something is not functioning as expected hen using these
LE_hostname
- e.g.
domain.tld
- Default: Interactive
- e.g.
LE_defaultconf
- Whether or not to install the cert into nginx's
default.conf
- Options:
yes
orno
- Default: Interactive
- Whether or not to install the cert into nginx's
LE_bool_cf
- Used to specify whether or not to enable the CloudFlare portion of the script
- Note setting other
cf
options mentioned below sets this toyes
. Set this tono
if you want to skip the cloudflare questions. - Options:
yes
orno
- Default: Interactive
LE_cf_email
- Default: Interactive
LE_cf_api
- Default: Interactive
LE_cf_zoneexists
- Note setting
LE_cf_zone
option implies this tono
. Set this toyes
if your zone already exists. - Options:
yes
orno
- Default: Interactive
- Note setting
LE_cf_zone
- Default: Interactive
Renewals
Renewals are handled automatically via the cronjob that acme.sh installs during the initial run. If your server is configured correctly, you shouldn't have to worry about future renewals.
Changing domains (or adding secondaries)
If you decide you've outgrown your old domain or want to update your domain, simply run the script again with:
sudo box install letsencrypt
There are no lock files associated with the LE script, so it can be run as many times as you like to issue certificates for as many domains as you desire.
Certificate and Install Locations
By default, the configuration files for acme.sh reside in:
/root/.acme.sh
This folder contains "account" information and domains currently configured via acme.sh.
SSL certificates are "installed" into your nginx directory as well and this is the location you should use with your scripts when configuring where the certificates are located on your machine:
/etc/nginx/ssl/<hostname.ltd>