le-guide.md
Raw Download

# Unofficial Letsencrypt guide for single client & multiple servers

> My setup with multiple different Server OS with fairly recent Nginx frontends, and a single Debian Lenny/Wheezy/Jessie tripbreed challenge handling server, also with an nginx frontend

So in short we have a lot of servers, a few different "web management consoles", mixed OS servers, and of course mixed amount of web facing services that require certificates.  

Question arises, how could we leverage these wonderful free certs provided by [Letsencrypt](https://www.letsencrypt.org), while minimizing the needed time to make everything just work?  

# Let's put the whole webroot signing process to a neat form:  

  * I'm now assuming you installed your [letsencrypt/certbot](https://certbot.eff.org) to /opt/le-`<block>` where `<block>` is a representative of a batch of clients, not necessarily sharing the same domain, but same certificate.
  * First you would want to make sure you have listening endpoint in your client-running(cert challenge server) available via for example cert.`<block>`.tld on port 80 so that the letsencrypt client can read from;
  
  ```
  # Certificate listening server filename: /usr/local/nginx/conf.d/cert.<block>.tld.conf **(NOTE: can be /etc/nginx/sites-available/cert.<block>.tld.conf for debian default installations )**  
  server {
    listen 80;
    server_name cert.<block>.tld;
    include /usr/local/nginx/conf/le-<block>.conf; #This is the path to the below include file  
    server_tokens off; # Don't show the nginx version numbers dudes  
    return 301 https://$host$request_uri;  
  }
  ```  
  * now of course you need to make the above `le-<block>` configuration to point to the actual letsencrypt root where the challenge files will appear for this certain block of domains:  
  
  ```
  # Actual location block filename: /usr/local/nginx/conf/le-<block>.conf 
  location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain"; # challenge files are expected in text/plain
    root         /opt/le-<block>;  
  }
  location = /.well-known/acme-challenge/ {
    return 404; # we don't want file listings
  }
  ```

  * Now compose the /etc/letsencrypt/configs/`<block>`.conf for the domains you want, starting from the primary domain
  
  ```
  # the domain(s) we want to get the cert for, separated with a comma **without** a trailing space;
  domains = primary.tld,www.primary.tld,another.xyz,andanother.abc
  # Choose key size how needed - default 2048
  rsa-key-size = 4096
  # Use staging server for getting test cert
  server = https://acme-staging.api.letsencrypt.org/directory
  #server = https://acme-v01.api.letsencrypt.org/directory
  # this address will receive renewal reminders
  email = your@email.com
  # Uncomment to turn off the ncurses UI when running the conf with a cronjob
  #text = True
  # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) and then letting
  # LE fetch it
  authenticator = webroot
  webroot-path = /opt/le-<block>/
  ```  
  
  * Ok now you should call `/opt/le-<block>/letsencrypt-auto certonly -c /etc/letsencrypt/configs/<block>.conf --dry-run` for the first time  
  * While you're waiting for the script results letsencrypt creates a challenge file to /opt/le-`<block>`/`<token>` and -> When the letsencrypt server receives the request to authenticate the webroot for `<token>` with **all the domains** listed in the /etc/letsencrypt/configs/`<block>`.conf file we created earlier, 
  dispatches a http-request to **all** of those domains for challenge file verification.
  * If even **one** of the domains fails you will have an appropriate error message telling that the domain.xyz failed for reason X
  * now if your servers are scattered around the planet for your `<block>` of domains - very much like mine are - you'll need to add the following little `include` configuration to the respective servers' configurations, like
  
  ``` 
  # Server `primary.tld` , `www.primary.tld` etc residing in filename: /usr/local/nginx/conf/le-<block>.conf 
  location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    proxy_pass http://cert.<block>.tld:80; # This is your above certificate block server, note you just pass it without any additional headers you'd use normally - this means absolutely no x-whatever headers - just plain proxy_pass  
  }
  ```  
  
  * with of course the inclusion appearing in the respective server-blocks;  
  
  ```  
  server {
    server_name primary.tld www.primary.tld;
    include /usr/local/nginx/conf/le-<block>.conf; # ^ see above 
    location ...
  }
  ```
  
  * After some serious Nginx service reloading, you should run the first `letsencrypt-auto ...`-command again - and voila - there should be no more errors.
  * After Dry run finishes without errors, I'd try the batch with only the staging server, just to see the certificates appearing in `/etc/letsencrypt/live/primary.tld/*.pem` and only after satisfied, switch to the live server, and deploy the certs to the originating servers.
  * **NOTE:** the files in this path are actually symlinks - so in some cases where you need to utilize the certificates without root access ( like for example gitlab ) you'll have to `ls -la /etc/letsencrypt/live/primary.tld/*.pem` to see the actual file paths and possibly copy the actual files to where you use them and chown and/or chmod them appropriately


Unofficial Letsencrypt guide for single client & multiple servers


My setup with multiple different Server OS with fairly recent Nginx frontends, and a single Debian Lenny/Wheezy/Jessie tripbreed challenge handling server, also with an nginx frontend


So in short we have a lot of servers, a few different "web management consoles", mixed OS servers, and of course mixed amount of web facing services that require certificates.  

Question arises, how could we leverage these wonderful free certs provided by Letsencrypt, while minimizing the needed time to make everything just work?  


Let's put the whole webroot signing process to a neat form:


I'm now assuming you installed your letsencrypt/certbot to /opt/le-<block> where <block> is a representative of a batch of clients, not necessarily sharing the same domain, but same certificate.
First you would want to make sure you have listening endpoint in your client-running(cert challenge server) available via for example cert.<block>.tld on port 80 so that the letsencrypt client can read from;


  # Certificate listening server filename: /usr/local/nginx/conf.d/cert.<block>.tld.conf **(NOTE: can be /etc/nginx/sites-available/cert.<block>.tld.conf for debian default installations )**  
  server {
    listen 80;
    server_name cert.<block>.tld;
    include /usr/local/nginx/conf/le-<block>.conf; #This is the path to the below include file  
    server_tokens off; # Don't show the nginx version numbers dudes  
    return 301 https://$host$request_uri;  
  }


now of course you need to make the above le-<block> configuration to point to the actual letsencrypt root where the challenge files will appear for this certain block of domains:


  # Actual location block filename: /usr/local/nginx/conf/le-<block>.conf 
  location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain"; # challenge files are expected in text/plain
    root         /opt/le-<block>;  
  }
  location = /.well-known/acme-challenge/ {
    return 404; # we don't want file listings
  }


Now compose the /etc/letsencrypt/configs/<block>.conf for the domains you want, starting from the primary domain


  # the domain(s) we want to get the cert for, separated with a comma **without** a trailing space;
  domains = primary.tld,www.primary.tld,another.xyz,andanother.abc
  # Choose key size how needed - default 2048
  rsa-key-size = 4096
  # Use staging server for getting test cert
  server = https://acme-staging.api.letsencrypt.org/directory
  #server = https://acme-v01.api.letsencrypt.org/directory
  # this address will receive renewal reminders
  email = your@email.com
  # Uncomment to turn off the ncurses UI when running the conf with a cronjob
  #text = True
  # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) and then letting
  # LE fetch it
  authenticator = webroot
  webroot-path = /opt/le-<block>/


Ok now you should call /opt/le-<block>/letsencrypt-auto certonly -c /etc/letsencrypt/configs/<block>.conf --dry-run for the first time


While you're waiting for the script results letsencrypt creates a challenge file to /opt/le-<block>/<token> and -> When the letsencrypt server receives the request to authenticate the webroot for <token> with all the domains listed in the /etc/letsencrypt/configs/<block>.conf file we created earlier, 
dispatches a http-request to all of those domains for challenge file verification.
If even one of the domains fails you will have an appropriate error message telling that the domain.xyz failed for reason X
now if your servers are scattered around the planet for your <block> of domains - very much like mine are - you'll need to add the following little include configuration to the respective servers' configurations, like


  # Server `primary.tld` , `www.primary.tld` etc residing in filename: /usr/local/nginx/conf/le-<block>.conf 
  location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    proxy_pass http://cert.<block>.tld:80; # This is your above certificate block server, note you just pass it without any additional headers you'd use normally - this means absolutely no x-whatever headers - just plain proxy_pass  
  }


with of course the inclusion appearing in the respective server-blocks;


  server {
    server_name primary.tld www.primary.tld;
    include /usr/local/nginx/conf/le-<block>.conf; # ^ see above 
    location ...
  }


After some serious Nginx service reloading, you should run the first letsencrypt-auto ...-command again - and voila - there should be no more errors.
After Dry run finishes without errors, I'd try the batch with only the staging server, just to see the certificates appearing in /etc/letsencrypt/live/primary.tld/*.pem and only after satisfied, switch to the live server, and deploy the certs to the originating servers.

NOTE: the files in this path are actually symlinks - so in some cases where you need to utilize the certificates without root access ( like for example gitlab ) you'll have to ls -la /etc/letsencrypt/live/primary.tld/*.pem to see the actual file paths and possibly copy the actual files to where you use them and chown and/or chmod them appropriately