FULL CREDIT TO: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
Copied here in case that site ever goes down, I use this for my own reference.
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. At the time of this writing, automatic renewal is still not available as a feature of the client itself, but you can manually renew your certificates by running the Let’s Encrypt client again.
A practical way to ensure your certificates won’t get outdated is to create a cron job that will automatically handle the renewal process for you. In order to avoid the interactive, menu-driven process that we used earlier, we will use different parameters when calling the Let’s Encrypt client in the cron job.
We will use Webroot plugin, instead of the Standalone plugin used earlier, because it allows your server to validate your domain without stopping your web server. The Webroot plugin adds a hidden file to your web server’s document root, which the Let’s Encrypt CA can read to verify your domain.
How To Use the Webroot Plugin
The Webroot plugin works by placing a special file in the ./well-known directory within your document root, which can be opened (through your web server) by the Let’s Encrypt service for validation. Depending on your configuration, you may need to explicitly allow access to the /.well-known directory. To ensure that the directory is accessible to Let’s Encrypt for validation, let’s make a quick change to our Nginx configuration. Open it for editing:
- sudo nano /etc/nginx/sites-enabled/default
Under the ssl server block, add this location block:
location ~ /.well-known {
allow all;
}
You will also want look up what your document root is set to by searching for the root directive, as the path is required to use the Webroot plugin. If you’re using the default configuration file, the root will be/usr/share/nginx/html.
Save and exit.
Now that we know our webroot-path, we can use the Webroot plugin to renew our certificate with this commands. Here, we are also specifying our domain names with the -d option. Note that you should replace the highlighted parts with the appropriate webroot path and domain names:
- cd /opt/letsencrypt
- ./letsencrypt-auto certonly -a webroot –agree-tos –renew-by-default –webroot-path=/usr/share/nginx/html -d example.com -d www.example.com
Once that succeeds, you will need to reload your Nginx service to use the renewed certificate:
- sudo service nginx reload
Now that we know the commands that we need to renew our certificate, we can automate this process using scripts and a cron job.
Create a Let’s Encrypt Configuration File
Before moving on, let’s simplify our renewal process by creating a Let’s Encrypt configuration file at/usr/local/etc/le-renew-webroot.ini.
- sudo cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini
Now open the file for editing;
- sudo nano /usr/local/etc/le-renew-webroot.ini
Next, uncomment the email, domains, and webroot-path lines, and update them with your own information. When you are done, the file (with comments removed) should look something like this:
rsa-key-size = 4096
email = [email protected]
domains = example.com, www.example.com
webroot-path = /usr/share/nginx/html
Now, instead of specifying the webroot path and domain names in the command, we can use the Let’s Encrypt configuration file to fill in the blanks. Assuming your configuration file is correct, this command can be used to renew your certificate:
cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini
Now let’s create a script that we can use to renew our certificate.
Create a Renewal Script
To automate the renewal process, we will use a shell script that will verify the certificate expiration date for the provided domain and request a renewal when the expiration is less than 30 days away. This script will be scheduled to run once a week. This way, even if a cron job fails, there’s a 30-day window to try again every week.
First, download the script and make it executable. Feel free to review the contents of the script before downloading it.
- sudo curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot
- sudo chmod +x /usr/local/sbin/le-renew-webroot
The le-renew-webroot script takes as argument the domain name whose certificate you want to check for renewal. When the renewal is not yet necessary, it will simply output how many days are left until the given certificate expiration.
Note: The script will not run if the /usr/local/etc/le-renew-webroot.ini file does not exist. Also, be sure that the first domain that is specified in the configuration file is the same as the first domain you specified when you originally created the certificate.
If you run the script now, you will be able to see how many days are left for this certificate to expire:
- sudo le-renew-webroot
Checking expiration date for example.com...
The certificate is up to date, no need for renewal (89 days left).
Next, we will edit the crontab to create a new job that will run this command every week. To edit the crontab for the root user, run:
- sudo crontab -e
Include the following content, all in one line:
30 2 * * 1 /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log
Save and exit. This will create a new cron job that will execute the le-renew-webroot command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at/var/log/le-renewal.log.
Conclusion
That’s it! Your web server is now using a free Let’s Encrypt TLS/SSL certificate to securely serve HTTPS content.