How do I install Let's Encrypt on Debian 8

letsencrypt
ssl
nginx
debian

(Dmitry Fedyuk) #1

Step 1 (/etc/apt/sources.list)

deb http://ftp.debian.org/debian jessie-backports main

Step 2

aptitude update && aptitude install certbot

Step 3

sudo certbot certonly --webroot -w /var/www/lets-encrypt/stripe.mage2.pro -d stripe.mage2.pro

I use a dedicated Let’s Encrypt challenge’s folder (/var/www/lets-encrypt) for all my projects.

Certbot documentation: certbot.eff.org/docs

Step 4 (Nginx)

server {
	listen 80;
	server_name stripe.mage2.pro;
	return 301 https://$server_name$request_uri;
}
server {
	listen 443 ssl;
	server_name stripe.mage2.pro;
    ssl_certificate /etc/letsencrypt/live/stripe.mage2.pro/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/stripe.mage2.pro/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	location ~ /.well-known {
		root /var/www/lets-encrypt/stripe.mage2.pro;
		access_log off;
		expires max;
		break;
	}
	proxy_set_header X-Forwarded-Proto $scheme;
	set $MAGE_ROOT /var/www/portal;
	fastcgi_param MAGE_RUN_TYPE website;
	fastcgi_param MAGE_RUN_CODE stripe_mage2_pro;
	include /usr/local/nginx/conf/includes/m2-root.conf;
}

This block handles the Let’s Encrypt challenge:

location ~ /.well-known {
	root /var/www/lets-encrypt/stripe.mage2.pro;
	access_log off;
	expires max;
	break;
}

serverfault.com/a/755665

Step 5 (/etc/crontab)

@daily www-data sudo certbot renew && sudo service nginx restart

How to test

sudo certbot renew --force-renewal