Sunday | 23 JUN 2024
[ previous ]
[ next ]

Using LetsEncrypt

Title:
Date: 2023-12-03
Tags:  sysadmin

LetsEncrypt is great because it let's you have SSL certificates for free and forces you to have good ssl hygiene. The idea of making the certificates lapse eveyr 90 days so that people are incentivised to automate it is brilliant.

However it is a piece of software that I don't understand and I don't like that. The underlying logic and the surface level stuff of just getting it to work are unknown to me.

This post will be me working through it and trying to figure out the thread that makes this work. I don't really care about the underlying stuff right now, really I just want to make it so that I can get an SSL certificate easily for the next site I set up.

The first thing is that you do not want certbot to run and modify nginx directly. I much prefer having it just get the certificates and then manually adding them in.

sudo certbot certonly --webroot

The webroot option means that you have your own web server currently running.

This will prompt you for the domains to protect and the path to the webroot directly so it can hit the .well-known folder.

/Users/username/bp/nivethan.dev

This is my base web folder that I will be serving out.

The below nginx file will make sure that my well-known folder is being served out. I have an application that handles / so I need this here so that nginx will handle the well-known folder.

server {
    listen 8123;
    listen [::]:8123;
    server_name nivethan.dev www.nivethan.dev;
            
    port_in_redirect off;
    autoindex on;
        
    location /.well-known {
       alias /Users/username/bp/nivethan.dev/.well-known;
    }
}

At this point you should be able to navigate to the well-known folder and get a list of things in it. This is because the autoindex is on.

I made this folder 777 for good measure.

Now if we run the above cerbot command, we should be able to get the ssl certificates.

sudo certbot certonly --webroot

The final step that I needed to do was give the archive and live folders in letsecrypt 755 permissions. I think this is because I'm using nginx as a non-root user as well as my application being run as a regular user.

sudo chmod -R 755 /etc/letsencrypt/archive/
sudo chmod -R 755 /etc/letsencrypt/live/

At this point we should be good to go. Fingers crossed that this covers it.