Photo by Simon Fitall on Unsplash
If you pay attention to Google and it’s indexing rules, you’ve probably heard that you need an SSL certificate o...
For further actions, you may consider blocking this person and/or reporting abuse
Seems to me like the lesson here is to not test in prod.
For a site that I care about, sure. For my own site and server it was a worthwhile experiment.
I'd still spin up a test server temporarily (either locally or VPS).
A former co-worker of mine suggested this setup:
Add the following location to your server block:
and then run certbot like this:
certbot certonly --standalone --http-01-port 9999 --noninteractive --agree-tos --email youremail@yourdomain.com -d www.yoursite.com --post-hook "service nginx reload"
The renew job in my crontab looks like this:
Of course that means that you actually have to add the key paths to your nginx config too, but once you have this up and running you will have a nice and stable config.
Neat! Yeah I think running the --standalone flag is the way to go. I gotta check the docs on certbot as I didn't realize you could specify a custom verification location directive.
When I set up my Let's Encrypt certificates, I hand-wrote my
.conf
files for Apache2, mainly because of this little personal quirk: I don't trust automagical things. I get mocked fairly frequently for my tendency to do things manually, especially with IT stuff, but my end results are usually cleaner and more stable than mainstream, I find.Yeah I find 'magic' stuff tends to be overly verbose or just unnecessary. At worst it'll explode things - as I discovered.
Automagics are a nightmare (especially when used unknowingly). I try to read the fine prints, dodging all automagics and actually manually doing my setups the first time.
I've experienced the
--nginx
flag does in the early days. Since I had all my nginx conf done already, the way I wanted, I just needed to do my ssl integration once, and for all.So yeah, nice reminder.
Yep! The point of this post was mostly to share that point! Watch out for that
--nginx
flag.nginx configuration is not that complicated ONCE you take the time to read through the docs e.g. the second "server" is listening on 80 when that port is supposedly meant to be redirected to 443, looks like a duplicate.
One good practice in nginx: make a separate file for "options" and include it, it helps keep visualizing quickly what the settings are.
Put the PHP config in a fastcgi_php.conf and you can have same settings for multiple sites even in the same instance.
Yep as you can probably tell I'm still learning about nginx config. I'm noticing that including files is the way to go. Plan is to start setting up some Fast CGI caching next so we'll see how that goes!
Also, backing up your nginx config is pretty important, maybe keeping it in private version control so anytime you do something wrong you can quickly revert it.
LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?
DevTo
[+] dev.to/dineshrathee12/letsencrypt-...
GitHub
[+] github.com/dineshrathee12/Let-s-En...
LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...
Hi Peter,
Thanks for the write-up, I found it better to generate certificates only, and symlink to them.
That guaranteed stability of my existing configuration.
I detailed steps here: How to install Let's Encrypt SSL Certificate on Ubuntu and Nginx Server, just in case anyone needs a help with this.
Thanks.