Setup Letsencrypt SSL on raspberry pi

I love letsencrypt. It’s free SSL, it’s saver because of the auto-renewal and it’s so easy to setup. No more emailing around validating company name and whatnot.

If you’ve followed the previous steps you would not have installed git, check with git --version When it gives an error install git first with sudo apt-get install -y git

Now get the letsencrypt software and prepare the folder which letsencrypt will use.

sudo git clone https://github.com/certbot/certbot /opt/letsencrypt
sudo mkdir /var/www/letsencrypt
sudo chown www-data:www-data /var/www/letsencrypt

Add the first part of the letsencrypt config to nginx sudo nano /etc/nginx/sites-enabled/example.com
Before the final } add this:

location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
}

And reload nginx sudo nginx -t && sudo service nginx reload

Getting the ssl certificate

So now we can generate and validate the ssl certificates. With the command below.
The email-address is used only for checks and warnings so I recommend an email which you do check. And of course change the domain. We will get a certificate for both www and non-www domain.

sudo /opt/letsencrypt/certbot-auto certonly -a webroot --webroot-path=/var/www/letsencrypt/ --rsa-key-size=4096 -m letsencrypt@example.com -d example.com -d www.example.com

When running this the first time It might take a long time, just be patient. When it is done we add the certificates to the nginx configuration: sudo nano /etc/nginx/sites-enabled/example.com

listen 443 ssl default_server;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

sudo service nginx reload

Test if ssl is working on both www and non-www. If it’s working then the next step is forcing ssl all the time.

replace:

server {
    listen 80;
    server_name example.com www.example.com;

And replace it with:

server {
    listen      80;
    server_name home.janw.me www.home.janw.me;
    rewrite     ^   https://$server_name$request_uri? permanent;
}
server {
    listen 443 ssl;
    server_name home.janw.me www.home.janw.me;

    ssl_certificate /etc/letsencrypt/live/home.janw.me/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/home.janw.me/privkey.pem;

As usual reload sudo nginx -t && sudo service nginx reload

Autorenewel

certbot renew

https://caatest.co.uk/home.jwon.nl
https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score

Leave a Reply

Your email address will not be published. Required fields are marked *