Let's Encrypt certificates using LEGO
by Emile `iMil' Heitor - 2020-03-02
This post is more like a self-reminder on how I setup automatic SSL/TLS certificate renewal on my servers.
I chose LEGO to handle my certificates renewal with Let’s Encrypt because it’s simple to use, has no dependency, great documentation and is worked on at a constant pace.
I found this and this articles very useful, but they are outdated in their use of the tls
and http
parameters. So here are my notes.
This procedure is Debian GNU/Linux based but I also used it pretty much as-is on NetBSD and FreeBSD, only nginx
related PATH
s changed.
nginx
In /etc/nginx/sites-available/default
:
include /etc/nginx/sites-available/letsencrypt;
Which contains:
location /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:8181;
proxy_set_header Host $host;
}
Check nginx.conf
syntax then reload it.
$ sudo nginx -t
$ sudo nginx -s reload
Let’s Encrypt
Go to a writable directory where LEGO
will write the challenges
$ cd ~/www/letsencrypt
To request and install a new certificate, first prepare nginx.conf
:
/etc/nginx/sites-available/https
:
listen 443 ssl;
listen [::]:443 ssl;
server_name korriban.imil.net;
ssl_certificate /usr/local/etc/letsencrypt/certificates/korriban.imil.net.crt;
ssl_certificate_key /usr/local/etc/letsencrypt/certificates/korriban.imil.net.key;
Then execute LEGO
with desired parameters:
$ sudo lego --email="imil@home.imil.net" --domains="korriban.imil.net" --http.port :8181 --http --path=/usr/local/etc/letsencrypt run
And check / reload nginx
.
If you need a multi-domain certificate, simply add multiples --domains
.
To renew the certificate if it expires within 30 days:
$ sudo /usr/local/bin/lego --email="imil@home.imil.net" --domains="korriban.imil.net" --http.port :8181 --http --path=/usr/local/etc/letsencrypt renew --days 30
Automatic renewal
$ cat bin/lerenew.sh
#!/bin/sh
cd /home/imil/www/letsencrypt
/usr/local/bin/lego --email="imil@home.imil.net" --domains="korriban.imil.net" --http.port :8181 --http --path=/usr/local/etc/letsencrypt renew --days 30
nginx -s reload
cron
00 3 * * * /home/imil/bin/lerenew.sh >/home/imil/log/lerenew.log 2>&1
reload mail system
My mail system also uses Let’s Encrypt certificates, it is hosted on virtual machines in the same subnet as the web server, which exports /usr/local/etc/letsencrypt/
via NFS. The mail server runs NetBSD. In order to watch any modifications in the certificates
directory, I use direvent, which will call a script to reload both dovecot
and postfix
:
$ cat /usr/pkg/etc/direvent.conf
syslog {
facility local0;
tag "direvent";
print-priority yes;
}
watcher {
path /usr/local/etc/letsencrypt/certificates;
event write;
command "/home/imil/bin/mailrestart.sh";
}
$ cat bin/mailrestart.sh
#!/bin/sh
/usr/sbin/postfix reload
/usr/pkg/bin/doveadm reload
su imil -c 'echo "done"|mail -s "postfix and dovecot reloaded" imil'
direvent
is started from /etc/rc.local
as there’s no init script given with the package.
/usr/pkg/bin/direvent /usr/pkg/etc/direvent.conf