Getting certbot

Debian Wheezy

1
wget -q https://dl.eff.org/certbot-auto -O-  | sudo tee /usr/local/bin/certbot-auto
2
sudo chmod +x /usr/local/bin/certbot-auto

1
export CERTBOT_CMD=/usr/local/bin/certbot-auto

Debian Jessie

1
echo "deb http://ftp.debian.org/debian jessie-backports main" | sudo tee /etc/apt/sources.list.d/debian-backports.list
2
sudo apt update
3
sudo apt-get install certbot -t jessie-backports

1
export CERTBOT_CMD=/usr/bin/certbot

Prerequisites

Enable domains in public DNS first.

You know what to do here.

Ensure .well-known is accessible via plain HTTP.

1
server {
2
        listen   80;
3
        listen  [::]:80 ipv6only=on;
4
        server_name  example.com www.example.com;
5
        server_name_in_redirect on;
6
        port_in_redirect on;
7

8
        access_log  /var/log/nginx/access.log;
9
        error_log  /var/log/nginx/error.log;
10

11
        # For ACME Let's Encrypt challenge
12
        location /.well-known {
13
                alias /var/www/html/.well-known; # have this as the webroot
14
        }
15

16
        location / {
17
                return 301 https://$server_name$request_uri;
18
        }
19

20
}

Install

1
$CERTBOT_CMD certonly --webroot -w /var/www/html -d example.com -d www.example.com

Install in Web Server

Certificate

1
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

Private Key

1
ssl_certificate_key /etc/letsencrypt/live/example/privkey.pem;

OCSP Stapling

1
ssl_trusted_certificate /etc/letsencrypt/live/example/chain.pem;

Full Example

1
ssl  on;
2

3
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
4
ssl_certificate_key /etc/letsencrypt/live/example/privkey.pem;
5

6
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
7
ssl_ciphers         "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
8
ssl_prefer_server_ciphers on;
9
ssl_session_cache   shared:SSL:20m;
10
ssl_session_timeout 60m;
11

12
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
13

14
ssl_stapling on;
15
ssl_stapling_verify on;
16
ssl_trusted_certificate /etc/letsencrypt/live/example/chain.pem;
17
resolver 8.8.8.8;
18

19
add_header Strict-Transport-Security "max-age=31536000" always;

Renewal

Debian Jessie

It’s automatic.

Debian Wheezy

Test dry-run.

1
$CERTBOT_CMD renew --dry-run

If runs well, add to root’s CRON job.

1
0 */6 * * * /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade && /etc/init.d/nginx reload > /dev/null 2>&1

Let's Encrypt in Debian

Getting certbot

Debian Wheezy

Debian Jessie

Prerequisites

Enable domains in public DNS first.

Ensure .well-known is accessible via plain HTTP.

Install

Install in Web Server

Certificate

Private Key

OCSP Stapling

Full Example

Renewal

Debian Jessie

Debian Wheezy

Related Articles

Let's Encrypt in ISPConfig3

CORS in Apache2

Crontab Helper