Blog » Herbert Poul's Personal Blog » Finally switching to HTTPS thanks to letsencrypt
Thanks to letsencrypt it got way too easy to switch to a secure website, I ran out of excuses. So now, in all it's glory with a green lock, isn't that amazing? ;-)

It also only involved some small docker, DNS and certbot magic to get it all going. The hardest part was understanding that to use bind9 you would have to use the rfc2136 plugin. everything else is really well documented. Check out their documentation it's really well documented but it boils down to:

1. Configure a key to allow TXT dns changes

  update-policy {
    grant letsencrypt.key name txt;

(and make sure that your slave DNS are notified of changes)

2. Getting the certificate

Since I hate bloating my servers with software, I didn't like the thought of installing additional tools for certbot. But luckily, they have nice docker builds, so nothing is required, except docker. Which, luckily, I am already using exstensively. So I just created a little script:

docker run -it --rm \
    --name certbot \
    -v "`pwd`/etc/letsencrypt:/etc/letsencrypt" \
    -v "`pwd`/var/lib/letsencrypt:/var/lib/letsencrypt" \
    -v "`pwd`/var/log:/var/log" \
    -v "`pwd`/secret:/secret" \
    certbot/dns-rfc2136 certonly \
    --dns-rfc2136 \
    --dns-rfc2136-credentials /secret/rfc2136.ini \
    -d '*'

3. Getting certificates to nginx

Now that the certificates are in etc/letsencrypt i just use rsync to copy them to the web server, and i'm ready to go.

The only thing to keep in mind are file permissions. certbot will create them only readable by root. But I don't really like logging into other systems as root, so permissions are not correctly synced by the default rsync setup, so i'm using --chmod option.

rsync -e "$SSH" -a --chmod=go-rwx etc/ $USER@$PROXY:letsencrypt-etc/

$SSH $USER@$PROXY sudo /etc/init.d/nginx reload

4. nginx

That's again very well documented and easy to do. (no surprises there)

server {
  return 301$request_uri;

server {
  listen spdy;

  ssl on;
  ssl_certificate XXX/letsencrypt-etc/letsencrypt/live/;
  ssl_certificate_key XXX/letsencrypt-etc/letsencrypt/live/;
Hey, we have Signatures !!! Great, isn't it ? ;)

Posted by Herbert Poul

Assigned Tags:


Attachments: Screen_Shot_2018-08-05_at_15.03.22.png (39.0 KB)

Please login to post a reply.

Personal website and blog of Herbert Poul. Also check out my Photo Gallery.

Herby's Photo Gallery



You are not logged in.