nginx let's encrypt support

Please add support to Let's encrypt to nginx module

regards

Status: 
Active

Comments

A system using Nginx should still be able to request a Let's Encrypt cert on the SSL Certificate page in Virtualmin.

To support letsencrypt in nginx virtualmin need to:

  1. add a directive on the vhost config to give access the acme-challenge directory
  2. add a directive on the vhost config like: "ssl_certificate /home/domain/chained.cert;"

Without 1. the ssl verify will fail Without 2. the renew will fail

  1. location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /home/domain/public_html; }

location = /.well-known/acme-challenge/ { return 404; }

2. wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat /home/domain/ssl.cert intermediate.pem > /home/domain/chained.cert

sources:

https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable... https://community.letsencrypt.org/t/issues-with-nginx-and-redirects-usin...

unborn's picture
Submitted by unborn on Mon, 05/02/2016 - 07:32 Pro Licensee

as it said here: currently supports Apache automation, nginx support coming soon and in current features: nginx/0.8.48+ (highly experimental, not included in letsencrypt-auto) - so this is really upto on letsenctrypt..

Yeah I know that but I already using nginx, virtualmin and letsencrypt with a partial automated process and it's working. For me the only missing parts are in Virtualmin.

Point 2 have to run after a renew is issued or editing config files will throw a config file error

first request: A. set up 1. B. request certificate first time C. run 2.

renew: A. renew B. run 2.

Regarding the chained cert, to get this working manually did you need to add two ssl_certificate lines (one for the real cert, and one for the CA cert) ?

actually this is the config:

ssl_certificate /home/domain/chained.cert;
ssl_certificate_key /home/domain/ssl.key;

Does /home/domain/chained.cert contain both the domain's cert, and the Let's Encrypt CA cert?

So in the current code, the Let's Encrypt CA cert should already be added to the file referenced by the ssl_certificate line.

Can you tell us more about exactly what gets put in that file if you use Let's Encrypt for a new domain?

I'm not an SSL expert and I know about chained.cert only after reading the let's encrypt forum: https://community.letsencrypt.org/t/issues-with-nginx-and-redirects-usin...

I found this, too: http://serverfault.com/questions/472818/should-i-include-the-root-ca-cer...

I think that the chained.cert is needed for more compatibility (with less performance)... but I'm not 100% sure about that.

In the current code I see that virtualmin create three different files: ssl.ca ssl.cert ssl.key

When Nginx is being used, the contents of ssl.ca should get appended to ssl.cert

yes you're right confirmed!

I was confused because I checked on a wrong virtualhost that meanwhile got some problem updating the certs.