SSL with Let's Encrypt
Use free SSL with Let's Encrypt
snap install --classic certbot
# check.
certbot certificates
When moving the server, you can copy /etc/letsencrypt.
Generate SSL certificate
Nginx is already working. Access is dynamically confirmed by the certificate authority.
# Dynamically confirmed URL
http://aaa.mydomain.com/.well-known/acme-challenge/***
If you have multiple web servers, you must be able to respond correctly to all of them.
# nginx.conf
# Trick nginx (All web server. Other server use proxy_pass.)
location '/.well-known/acme-challenge/' {
root /home/ip_access;
try_files $uri @acme-challenge;
}
location @acme-challenge {
proxy_pass http://192.168.23.75:80; # Main web server.
}
Generate new SSL
certbot certonly \
--webroot \
--agree-tos \
-w /home/ip_access \
-m ast@mydomain.com \
-d mail.mydomain.com
New wildcard
On the way, set the DNS record manually.
certbot --debug certonly --agree-tos --manual \
--preferred-challenges dns-01 \
–manual-public-ip-logging-ok \
-m admin@mydomain \
-d *.mydomain.com
# [Step1] Add DNS TXT record.
TXT _acme-challenge.mydomain.com d7***************hs
The new certificate is here.
/etc/letsencrypt/live/
Copy to each web server.
# Script called after update.
vi /etc/letsencrypt/renewal-hooks/deploy/scp_mydomain.sh
#!/bin/bash
SRC=/etc/letsencrypt/live/mydomain.com
DST=/etc/ssl/letsencrypt/mydomain.com
cp -fL $SRC/* $DST
scp -rp $SRC/* root@192.168.23.70:$DST
scp -rp $SRC/* root@192.168.24.75:$DST
Renewal wildcard (manual)
Place DNS TXT records and web files to check the server. All servers have to respond.
certbot certonly --manual \
-manual-public-ip-logging-ok \
-d *.mydomain.com \
-d mydomain.com
Choose an account. IP being logged? - Yes
Add DNS TXT record. (Step1)
_acme-challenge.mydomain.com
d7HCaFhZaR4wu8a9Um7VVcaIYZfR6and2u288gahs
Create a web file containing hash values. (Step 2)
http://mydomain.com/.well-known/acme-challenge/Yc0yLeaDTldtt3_lUZy5l
Yc0yLeaDTldtt3_lUZy5l.iglYdQT8998tlQLYhtbBNSf97s4CzX