Using Free SSL/TLS Certificates from Let’s Encrypt for Nginx

The official let&#x27;s encrypt client is very heavy-weight. In my case I&#x27;ve build a much simpler thing using acmetool (<a href="https:&#x2F;&#x2F;github.com&#x2F;hlandau&#x2F;acme" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;hlandau&#x2F;acme</a>) which is mcuh simpler to use and nicely runs without root rights.<p>In my case, a lot of the routing of domains to customers is stored in a postgres database and a trigger fires an event anyways, so I have a little daemon that listens to these events and the fires off acmetool as needed in order go generate certificates.<p>I just completed this last week, so when I&#x27;ve seen this article here, I thought that I just wasted some time over this because now there&#x27;s an integrated nginx solution, but thankfully, this is just an article about doing what I was doing using a tool that&#x27;s more complicated to use and brings half of an OS installation as dependencies.<p>For those interested, <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;pilif&#x2F;1e2610dd7aa57323e0b2" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;pilif&#x2F;1e2610dd7aa57323e0b2</a> is the script in question. It&#x27;s really a quick hack, but it works very well for me to auto-create nginx config files.

I was hoping this was an nginx module where you could specify something like `ssl_letsencrypt on;` and be done with it.

I wrote up my own HOWTO for nginx just the other day.<a href="https:&#x2F;&#x2F;www.uhoreg.ca&#x2F;blog&#x2F;20160218-1757" rel="nofollow">https:&#x2F;&#x2F;www.uhoreg.ca&#x2F;blog&#x2F;20160218-1757</a> I used the acme-tiny client instead of the official client. My post is mostly aimed at Debian-based distributions, but should be easily adaptable to others.

Has anyone found a good tutorial for DNS-based verification of a Let&#x27;s Encrypt certificate? It&#x27;d simplify life greatly for those of us with multi-server clusters behind an Amazon ELB or something similar.

Here is my Nginx config for let&#x27;s encrypt on my case, feel free to criticize or copy it: <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;alex-min&#x2F;158f35f604b24e163ae9" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;alex-min&#x2F;158f35f604b24e163ae9</a>. I&#x27;ve managed to get a A+ on the ssllab test so it should not be too bad I believe (but I&#x27;m not an expert so if you have some idea for improvements, I would be glad).

How ironic. I just added https to my site and was searching for a solution to this problem. I ended up using certonly --standalone as described here and it worked like a charm: <a href="https:&#x2F;&#x2F;www.digitalocean.com&#x2F;community&#x2F;tutorials&#x2F;how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04" rel="nofollow">https:&#x2F;&#x2F;www.digitalocean.com&#x2F;community&#x2F;tutorials&#x2F;how-to-secu...</a>

I tried using the official encrypt client on my low spec VPS this weekend (cent os 6). It wouldn&#x27;t install as when compiling it runs out of memory. Why so heavyweight. Luckily I found a python script which uses the acme tools stuff and that worked fine. Maybe providing binaries would be another option so I don&#x27;t have to compile everything myself.

Thanks for the article and the other discusions, especially the pointers to Caddy.<p>I have been using Cloudflare for https for my main site only and have been deciding whether to use Cloudflare for everything or bite the bullet and set up my own https.

I&#x27;ve made an ansible role for deploying many sites from one nginx instance with automatic issuing and renewal of let&#x27;s encrypt certificates.<p>It would be accompanied by a blog post to explain how things work but got busy on other fronts.<p>If anyone&#x27;s interested, it&#x27;s at <a href="https:&#x2F;&#x2F;github.com&#x2F;Landoop&#x2F;ansible" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Landoop&#x2F;ansible</a>

I had to add some extra nginx config to make this work ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers &#x27;EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH&#x27;;