Translation(s): English - Français - Русский

Let’s Encrypt

Let’s Encrypt is an automated certificate authority providing free of charge, domain-validated TLS certificates that are obtained using the ACME protocol.

Let’s Encrypt clients

Jessie (Debian 8.x) Howto

Note: Jessie has reached end of LTS support as of June 30th, 2020. If at all possible, upgrade to a newer Debian release.

Stretch (Debian 9.x) / Buster (Debian 10.x) / Testing / Unstable Howto

You can install certbot from the main repository. You can also install some useful plugins to make the getting certificates for nginx or apache easier.

In order to make a certificate for apache you can use the following command: 

sudo certbot --apache -d <domain> --post-hook "/usr/sbin/service apache2 restart"

In order to make a certificate for nginx you can use the following command: 

sudo certbot --nginx -d <domain> --post-hook "/usr/sbin/service nginx restart"

Configure dehydrated with nginx

This section describes how to configure dehydrated as ACME client for nginx. This guide is valid for Debian Trixie, please update it for later versions when time comes.

Let's imagine you already have your domain ssl.example.com up and running on nginx server. It is configured in /etc/nginx/sites-enabled/ssl.example.com config and it successfully accepts unencrypted http traffic on 80th port.

All commands in this guide should be run as root.

Installing

You will need dehydrated and cron packages to automatically keep your cert validity up to date 

# apt-get install dehydrated cron

Configuring

1. Add your domain name to /etc/dehydrated/domains.txt file 

# echo ssl.example.com >> /etc/dehydrated/domains.txt

2. Configure your domain to show dehydrated's ACME challenges on /.well-known/acme-challenge url. Add following lines to your server config file 

    location /.well-known/acme-challenge {
        alias /var/lib/dehydrated/acme-challenges;
    }

3. Reload you nginx server 

# systemctl reload nginx.service

Issuing new cert

First, read and accept license agreement for Let's Encrypt certificates: 

# dehydrated --display-terms
# dehydrated --register --accept-terms

Then you can issue a new cert 

# dehydrated --cron

Adding new cert to nginx conf

If everything worked well you should now have set of cert file in /var/lib/dehydrated/certs/ssl.example.com dir: 

# ls /var/lib/dehydrated/certs/ssl.example.com

Now you need to update your /etc/nginx/sites-enabled/ssl.example.com config.

Turn on ssl by adding/uncommenting lines 

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

add you cert file and key to the config 

    ssl_certificate /var/lib/dehydrated/certs/ssl.example.com/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/ssl.example.com/privkey.pem;

and restart a server 

# systemctl reload nginx.service

Checking

Now you should be able to get access to your site using https://ssl.example.com link without any security warnings.

Setting up automatic cert update

Add /etc/cron.d/dehydrated file with following content 

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MAILTO=username@example.com

  00 12 *  *  *  root   dehydrated --cron >/dev/null ; systemctl reload nginx.service >/dev/null
  15 12 *  *  *  root   dehydrated --cleanup >/dev/null ; systemctl reload nginx.service >/dev/null

and restart cron service: 

# systemctl reload cron.service

Make sure that you have sendmail properly configured on this system, and that you have set proper address in MAILTO variable, so you will be notified if something is wrong with certificate updates.

See also

These articles were used while writing this guide:

https://www.feldspaten.org/2022/07/01/dehydrated-nginx-and-letsencrypt/

https://www.paedubucher.ch/articles/automating-tls-using-dehydrated/

upstream specific information

* Homepage

* Documentation

* Community support

CategoryNetwork CategorySoftware