DEV Community

Cover image for Nginx, Let’s Encrypt and taking my own server down 😢

Nginx, Let’s Encrypt and taking my own server down 😢

Peter Tasker on April 10, 2018

Photo by Simon Fitall on Unsplash If you pay attention to Google and it’s indexing rules, you’ve probably heard that you need an SSL certificate o...
Collapse
 
aghost7 profile image
Jonathan Boudreau

Seems to me like the lesson here is to not test in prod.

Collapse
 
ptasker profile image
Peter Tasker

For a site that I care about, sure. For my own site and server it was a worthwhile experiment.

Collapse
 
aghost7 profile image
Jonathan Boudreau

I'd still spin up a test server temporarily (either locally or VPS).

Collapse
 
blikkie_52 profile image
Remco van Bree • Edited

A former co-worker of mine suggested this setup:

Add the following location to your server block:

location /.well-known/acme-challenge {
        proxy_pass http://[::1]:9999;
}

and then run certbot like this:

certbot certonly --standalone --http-01-port 9999 --noninteractive --agree-tos --email youremail@yourdomain.com -d www.yoursite.com --post-hook "service nginx reload"

The renew job in my crontab looks like this:

14  4,16  * * * sudo certbot renew --standalone --http-01-port 9999 --renew-hook "service nginx reload" >> /var/log/le-renew.log

Of course that means that you actually have to add the key paths to your nginx config too, but once you have this up and running you will have a nice and stable config.

Collapse
 
ptasker profile image
Peter Tasker

Neat! Yeah I think running the --standalone flag is the way to go. I gotta check the docs on certbot as I didn't realize you could specify a custom verification location directive.

Collapse
 
codemouse92 profile image
Jason C. McDonald • Edited

When I set up my Let's Encrypt certificates, I hand-wrote my .conf files for Apache2, mainly because of this little personal quirk: I don't trust automagical things. I get mocked fairly frequently for my tendency to do things manually, especially with IT stuff, but my end results are usually cleaner and more stable than mainstream, I find.

Collapse
 
ptasker profile image
Peter Tasker • Edited

Yeah I find 'magic' stuff tends to be overly verbose or just unnecessary. At worst it'll explode things - as I discovered.

Collapse
 
khophi profile image
KhoPhi

Automagics are a nightmare (especially when used unknowingly). I try to read the fine prints, dodging all automagics and actually manually doing my setups the first time.

I've experienced the --nginx flag does in the early days. Since I had all my nginx conf done already, the way I wanted, I just needed to do my ssl integration once, and for all.

So yeah, nice reminder.

Collapse
 
ptasker profile image
Peter Tasker

Yep! The point of this post was mostly to share that point! Watch out for that --nginx flag.

Collapse
 
dallgoot profile image
dallgoot

nginx configuration is not that complicated ONCE you take the time to read through the docs e.g. the second "server" is listening on 80 when that port is supposedly meant to be redirected to 443, looks like a duplicate.

One good practice in nginx: make a separate file for "options" and include it, it helps keep visualizing quickly what the settings are.
Put the PHP config in a fastcgi_php.conf and you can have same settings for multiple sites even in the same instance.

Collapse
 
ptasker profile image
Peter Tasker

Yep as you can probably tell I'm still learning about nginx config. I'm noticing that including files is the way to go. Plan is to start setting up some Fast CGI caching next so we'll see how that goes!

Collapse
 
zeerorg profile image
Rishabh Gupta

Also, backing up your nginx config is pretty important, maybe keeping it in private version control so anytime you do something wrong you can quickly revert it.

Collapse
 
dineshrathee12 profile image
Dinesh Rathee

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

DevTo
[+] dev.to/dineshrathee12/letsencrypt-...

GitHub
[+] github.com/dineshrathee12/Let-s-En...

LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...

Collapse
 
murindwaz profile image
Pascal Maniraho

Hi Peter,
Thanks for the write-up, I found it better to generate certificates only, and symlink to them.
That guaranteed stability of my existing configuration.

I detailed steps here: How to install Let's Encrypt SSL Certificate on Ubuntu and Nginx Server, just in case anyone needs a help with this.

Thanks.