Let's Encrypt certificates using LEGO

This post is more like a self-reminder on how I setup automatic SSL/TLS certificate renewal on my servers.

I chose LEGO to handle my certificates renewal with Let’s Encrypt because it’s simple to use, has no dependency, great documentation and is worked on at a constant pace.

I found this and this articles very useful, but they are outdated in their use of the tls and http parameters. So here are my notes.

This procedure is Debian GNU/Linux based but I also used it pretty much as-is on NetBSD and FreeBSD, only nginx related PATHs changed.

nginx

In /etc/nginx/sites-available/default:

include /etc/nginx/sites-available/letsencrypt;

Which contains:

location /.well-known/acme-challenge {
	proxy_pass http://127.0.0.1:8181;
	proxy_set_header Host $host;
}

Check nginx.conf syntax then reload it.

$ sudo nginx -t
$ sudo nginx -s reload

Let’s Encrypt

Go to a writable directory where LEGO will write the challenges

$ cd ~/www/letsencrypt

To request and install a new certificate, first prepare nginx.conf:

/etc/nginx/sites-available/https:

	listen			443 ssl;
	listen			[::]:443 ssl;
	server_name		korriban.imil.net;

	ssl_certificate	/usr/local/etc/letsencrypt/certificates/korriban.imil.net.crt;
	ssl_certificate_key	/usr/local/etc/letsencrypt/certificates/korriban.imil.net.key;

Then execute LEGO with desired parameters:

$ sudo lego --email="imil@home.imil.net" --domains="korriban.imil.net" --http.port :8181 --http --path=/usr/local/etc/letsencrypt run

And check / reload nginx.

If you need a multi-domain certificate, simply add multiples --domains.

To renew the certificate if it expires within 30 days:

$ sudo /usr/local/bin/lego --email="imil@home.imil.net" --domains="korriban.imil.net" --http.port :8181 --http --path=/usr/local/etc/letsencrypt renew --days 30

Automatic renewal

$ cat bin/lerenew.sh 
#!/bin/sh

cd /home/imil/www/letsencrypt
/usr/local/bin/lego --email="imil@home.imil.net" --domains="korriban.imil.net" --http.port :8181 --http --path=/usr/local/etc/letsencrypt renew --days 30
nginx -s reload

cron

00 3 * * * /home/imil/bin/lerenew.sh >/home/imil/log/lerenew.log 2>&1

reload mail system

My mail system also uses Let’s Encrypt certificates, it is hosted on virtual machines in the same subnet as the web server, which exports /usr/local/etc/letsencrypt/ via NFS. The mail server runs NetBSD. In order to watch any modifications in the certificates directory, I use direvent, which will call a script to reload both dovecot and postfix:

$ cat /usr/pkg/etc/direvent.conf
syslog {
        facility local0;
        tag "direvent";
        print-priority yes;
}

watcher {
        path /usr/local/etc/letsencrypt/certificates;
        event write;
        command "/home/imil/bin/mailrestart.sh";
}
$ cat bin/mailrestart.sh
#!/bin/sh

/usr/sbin/postfix reload
/usr/pkg/bin/doveadm reload

su imil -c 'echo "done"|mail -s "postfix and dovecot reloaded" imil'

direvent is started from /etc/rc.local as there’s no init script given with the package.

/usr/pkg/bin/direvent /usr/pkg/etc/direvent.conf