Reputation: 4418
How can I cleanly handle the first use of letsencrypt on an nginx server?
I use letsencrypt/certbot to manage certs for nginx's use. I find that, when setting up servers, I get into a chicken and egg situation: nginx must work to supply the .well-known/acme-challenge directory, but nginx refuses to start if configured ssl certificates don't exist yet.
So far I've gotten around that by manually editing ssl out of the nginx server block, starting it, running certbot for the first time, then reverting the change. I'm wondering if there is a cleaner way to do it.
(at the moment I'm using the webroot auth method, but I'm not married to it. The goal here is to come up with a single configuration that does the Right Thing during initial setup)
Upvotes: 3
Views: 290
Answers (1)
Reputation: 3664
Since you know the final name and destinations of your certificates, you can generate a self signed certificate, to get nginx going and then run certbot and replace the self-signed to a proper one. The ACME challenge should be resolved over HTTP.
Code to generate a self-signed certificate. Do not worry about much, except the keyout and the out parameters.
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
-subj "/C=UK/ST=England/L=London/CN=www.example.com" \
-keyout "/path/to/your/key.cer" \
-out "/path/to/your/certificate.cer"
You can fully script this, so you'd have no headaches.
Upvotes: 2
Related Questions
- Let's Encrypt unauthorized 403 forbidden
- NGINX + Let's encrypt: Could not automatically find a matching server block
- How can I use "let's encrypt" without stopping nginx?
- certificate from Let's Encrypt fails to renew
- using certbot-auto for nginx
- Trouble w/ Certbot & Let's Encrypt on Nginx/Ubuntu14.04
- nginx as https proxy, but want to intercept one static path for Let's Encrypt /.well-known challenges
- letsencrypt on nginx and non-www https to www https redirect
- nginx configuration for basic auth that allows lets encrypt to auto renew
- How to install a letsencrypt cert with nginx?