Enable automated letsencrypt certificate renewal#410
Merged
Conversation
Amends the nginx config so that nginx will respond to HTTP requests whose path starts with /.well-known/ with the matching file in /var/www/letsencrypt-webroot, if any. This allows Let's Encrypt to verify domain ownership in order to renew certificates automatically. The `certbot` program is configured by default to renew all certificates once they are approaching their expiration dates, so with these changes, all that needs to happen on the server to enable subsequent renewals to be handled completely automatically is: - Certbot needs to be told to use the "webroot" plugin for domain verification with the appropriate directory when renewing certificates - Nginx needs to be set up to reload its configuration periodically so that newly renewed certificates are picked up. I've already done both of these on the Pursuit server. Note that certbot offers an "nginx" plugin too, but I don't trust it because it modifies the nginx configuration, and I think it requires taking the server down for a short time. The "webroot" approach seems simpler and safer.
hdgarrood
added a commit
to hdgarrood/trypurescript
that referenced
this pull request
Jul 11, 2020
Amends the nginx config so that nginx will respond to HTTP requests whose path starts with /.well-known/ with the matching file in /var/www/letsencrypt-webroot, if any. This allows Let's Encrypt to verify domain ownership in order to renew certificates automatically. The `certbot` program is configured by default to renew all certificates once they are approaching their expiration dates, so with these changes, all that needs to happen on the server to enable subsequent renewals to be handled completely automatically is: - Certbot needs to be told to use the "webroot" plugin for domain verification with the appropriate directory when renewing certificates - Nginx needs to be set up to reload its configuration periodically so that newly renewed certificates are picked up. Note that certbot offers an "nginx" plugin too, but I don't trust it because it modifies the nginx configuration, and I think it requires taking the server down for a short time. The "webroot" approach seems simpler and safer. I know that this approach works because Pursuit is already using it (see purescript/pursuit#410), so after this is merged I intend to deploy, SSH in, and do the above two steps manually.
hdgarrood
added a commit
to purescript/trypurescript
that referenced
this pull request
Jul 11, 2020
Amends the nginx config so that nginx will respond to HTTP requests whose path starts with /.well-known/ with the matching file in /var/www/letsencrypt-webroot, if any. This allows Let's Encrypt to verify domain ownership in order to renew certificates automatically. The `certbot` program is configured by default to renew all certificates once they are approaching their expiration dates, so with these changes, all that needs to happen on the server to enable subsequent renewals to be handled completely automatically is: - Certbot needs to be told to use the "webroot" plugin for domain verification with the appropriate directory when renewing certificates - Nginx needs to be set up to reload its configuration periodically so that newly renewed certificates are picked up. Note that certbot offers an "nginx" plugin too, but I don't trust it because it modifies the nginx configuration, and I think it requires taking the server down for a short time. The "webroot" approach seems simpler and safer. I know that this approach works because Pursuit is already using it (see purescript/pursuit#410), so after this is merged I intend to deploy, SSH in, and do the above two steps manually.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Amends the nginx config so that nginx will respond to HTTP requests
whose path starts with /.well-known/ with the matching file in
/var/www/letsencrypt-webroot, if any. This allows Let's Encrypt to
verify domain ownership in order to renew certificates automatically.
The
certbotprogram is configured by default to renew all certificatesonce they are approaching their expiration dates, so with these changes,
all that needs to happen on the server to enable subsequent renewals to
be handled completely automatically is:
verification with the appropriate directory when renewing certificates
that newly renewed certificates are picked up.
I've already done both of these on the Pursuit server.
Note that certbot offers an "nginx" plugin too, but I don't trust it
because it modifies the nginx configuration, and I think it requires
taking the server down for a short time. The "webroot" approach seems
simpler and safer.