nginx let's encrypt support

Submitted by Kintaro on Thu, 04/14/2016 - 12:01

Please add support to Let's encrypt to nginx module

regards

Status: 
Active

Comments

Submitted by JamieCameron on Thu, 04/14/2016 - 16:14

A system using Nginx should still be able to request a Let's Encrypt cert on the SSL Certificate page in Virtualmin.

Submitted by Kintaro on Mon, 05/02/2016 - 04:59

To support letsencrypt in nginx virtualmin need to:

  1. add a directive on the vhost config to give access the acme-challenge directory
  2. add a directive on the vhost config like: "ssl_certificate /home/domain/chained.cert;"

Without 1. the ssl verify will fail Without 2. the renew will fail

  1. location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /home/domain/public_html; }

location = /.well-known/acme-challenge/ { return 404; }

2. wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat /home/domain/ssl.cert intermediate.pem > /home/domain/chained.cert

sources:

https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable... https://community.letsencrypt.org/t/issues-with-nginx-and-redirects-usin...

unborn's picture
Submitted by unborn on Mon, 05/02/2016 - 07:32 Pro Licensee

as it said here: currently supports Apache automation, nginx support coming soon and in current features: nginx/0.8.48+ (highly experimental, not included in letsencrypt-auto) - so this is really upto on letsenctrypt..

Submitted by Kintaro on Tue, 05/03/2016 - 03:45

Yeah I know that but I already using nginx, virtualmin and letsencrypt with a partial automated process and it's working. For me the only missing parts are in Virtualmin.

Point 2 have to run after a renew is issued or editing config files will throw a config file error

first request: A. set up 1. B. request certificate first time C. run 2.

renew: A. renew B. run 2.

Submitted by JamieCameron on Tue, 05/03/2016 - 23:33

Regarding the chained cert, to get this working manually did you need to add two ssl_certificate lines (one for the real cert, and one for the CA cert) ?

Submitted by Kintaro on Thu, 05/12/2016 - 02:55

actually this is the config:

ssl_certificate /home/domain/chained.cert;
ssl_certificate_key /home/domain/ssl.key;

Submitted by JamieCameron on Fri, 05/13/2016 - 00:49

Does /home/domain/chained.cert contain both the domain's cert, and the Let's Encrypt CA cert?

Submitted by JamieCameron on Tue, 05/17/2016 - 06:34

So in the current code, the Let's Encrypt CA cert should already be added to the file referenced by the ssl_certificate line.

Can you tell us more about exactly what gets put in that file if you use Let's Encrypt for a new domain?

Submitted by Kintaro on Tue, 02/21/2017 - 10:36

I'm not an SSL expert and I know about chained.cert only after reading the let's encrypt forum: https://community.letsencrypt.org/t/issues-with-nginx-and-redirects-usin...

I found this, too: http://serverfault.com/questions/472818/should-i-include-the-root-ca-cer...

I think that the chained.cert is needed for more compatibility (with less performance)... but I'm not 100% sure about that.

In the current code I see that virtualmin create three different files: ssl.ca ssl.cert ssl.key

Submitted by JamieCameron on Wed, 02/22/2017 - 16:50

When Nginx is being used, the contents of ssl.ca should get appended to ssl.cert

Submitted by Kintaro on Thu, 02/23/2017 - 04:35

yes you're right confirmed!

I was confused because I checked on a wrong virtualhost that meanwhile got some problem updating the certs.