Debian 8 lets encrypt установка сертификата для nginx


Debian 8 lets encrypt установка сертификата для nginx

The client is also available in Debian testing repository. Some of you may think, “Wow, then we can enable jessie-backports repo to install Let’s Encrypt client on Debian 8!” In fact, this is what I think when I found Let’s Encrypt client is included in Debian 9 repository.

So let’s open sources.list file with nano text editor.

then add the following line at the end of this file.

And then update local package index and install letsencrypt.

Obtain a Free TLS/SSL Certificate with Standalone Plugin

When we apply a TLS/SSL certificate from Let’s Encrypt with the standalone plugin, the letsencrypt client will temporarily start a Web server which listens on port 80. So if you installed Nginx Web server before and Nginx is running, then you need to stop it with the following command to release port 80.


Then issue the following command to obtain a certificate.

The subcommmand certonly tells letsencrypt client to obtain a certificate, but do not install it because letsencrypt client doesn’t support auto-configuration for Nginx at time of writing.

Email address is used for urgent notices and lost key recovery. Replace <your-email-address> with your real email address. -d option is used to specify your domain name. Replace <your-domain-name> with your real domain name. You should point your domain name to the IP address of your Debian 8 server, otherwise domain validation will fail.

You will be asked to select the authentication method.  Select the second option and hit Enter.

Debian 8 Let's encrypt TLS/SSL Certificate

Within a few seconds, you should see a congrats message like below.

Your certificate and chain is saved at /etc/letsencrypt/live/your-domain-name/fullchain.pem.

Install TLS/SSL Certificate with Nginx

Install Nginx with the following command if you have not already done so.

Then create server block configuration file.

Here’s a sample TLS/SSL configuration for Nginx.

Save and close the file. Restart Nginx.


Obtain TLS/SSL Certificate with Webroot Plugin

Stopping Nginx server can lead to bad experience for your site visitors. This following steps use the Webroot plugin to obtain TLS/SSL certificate without the need to stop Nginx server.

First enter the following command.

Then select the first authentication method.

Let's encrypt webroot plugin

Next, hit Enter key to enter your Web root directory.

webroot plugin certbot

And enter your web root directory. The two common web root are /var/www/html and /usr/share/nginx/html/.

webroot authentication

In a few seconds, your certificate will be issued by Let’s Encrypt.

The above process can be automated by adding the following option.

--webroot tells letsencrypt client to use Webroot plugin. -w is short for --webroot-path. /var/www/html/ is a common Web root. So you can use the following one command to obtain a TLS/SSL certificate without stopping Nginx.

You may need to add the following directives in Nginx server configuration file to allow access to .well-know directory.

Renew Let’s Encrypt TLS/SSL Certificate

The config directory of letsencrypt is /etc/letsencrypt under which you will find a renewal directory.  Under /etc/letsencrypt/renewal are some conf files which defines how your certificate will be renewed.

Run the following command to test the renewal process on your Debian 8 server:

You will find that letsencrypt client uses the same plugin and options that were used at the time the certificate was originally issued. This is the default behavior.

To change the plugin or options used for renewal, you have to edit the conf files under /etc/letsencrypt/renewal.

Let’s say you used the standalone plugin to obtain certificate, but now you’d like to use Webroot plugin to renew the certificate because you don’t want to stop Nginx, then open the conf file.

Keep the first four lines intact, change the renewal parameters to the following.

You account number can be found at /etc/letsencrypt/accounts/

Then test renewal process again.

You will see it’ now using the Webroot plugin to renew certificate.

To begin the real renew process, simply remove --dry-run option.

This above command will try to renew certificates that expire in less than 30 days. You can open the root user’s crontab file with the below command.

and create a cron job.

Усиление сертификата

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
И правим конфиг


Об авторе

human administrator

    Оставить ответ

    Войти с помощью: