Got my first domain using a cert from Let’s Encrypt in under ~10 minutes, including setting up Let’s Encrypt itself. Yes, this is rather game changing.
Now to write ansible playbooks around it, and figure out how to get it working for proxied domains automatically.
Notes from using Let’s Encrypt:
- Docs really need a quickstart guide
- …no RPM? Shame! (copr doesn’t really count)
- git clone? Better than curling a shell script, I suppose
- Oh wait, letsencrypt-auto runs & installs stuff.
- What is the difference between letsencrypt and letsencrypt-auto? https://letsencrypt.readthedocs.org/en/latest/using.html#webroot uses plain letsencrypt, letsencrypt-auto worked as well though
- ./letsencrypt-auto certonly –webroot -w /var/www/<domain>/ -d <domain> is the command. Tack on however many -d <domains> for the same webroot
- auth directory starts with a . – nginx config had to be changed to allow . directories to be read. Follow least principal and do
location ^~ /.well-known/ {allow all;}
- It generates all certs & chains. I use nginx so fullchain.pem became my .crt file, and privkey became my .key file (I didn’t use .pem extensions when creating my own keys originally)
- nginx -t double checks that the private key matches the public key (don’t do this by steps)