20 comments

[ 3.3 ms ] story [ 35.7 ms ] thread
There is a typo in the title, can the mods please rename it to fix `Ubuntu`?
Why the server reboot after installing nginx?

More importantly, it should be safe to run the renew script once per month instead of once per day. Furtermore, I didn't check now but I seem to remember that Let's Encrypt limits the number of renewals in a period.

I like to reboot servers after upgrading / installing software so that everything I changed recently is fresh in my head. Otherwise, it could be 6-12 mos before a reboot is required and if something doesn't come up right, you may well not remember what has changed since the last working reboot...
I'm not sure about the first-party Let's Encrypt client, but letsencrypt.sh will check the dates and not bother to ask for a new certificate if the sertificate expires more than 30 days into the future. This way, if the Let's Encrypt servers are overloaded that day and not renewing certificates, the client will try once a day for a month before the certificate expires.
Tip: there are ways to renew without running the standalone version (this means "host me a webserver to request my ssl") and thus not having to stop your http-server, but they require more work.
If you know how, please do tell or provide some pointers. It would be nice to set up at my site.
I use acme-tiny (with --acme-dir) and set up nginx to point the /.well-known/acme-challenge to a directory acme-tiny can write to. It should be possible to do reverse proxying with nginx for whatever web server hosts the acme challenges..
+1, if you have just one server, it's merely a matter of adding

  location /.well-known/acme-challenge/ {
      alias {directory};
      try_files $uri =404;
  }
to the Nginx config of each site, then having a script on cron that generates the csr and calls acme_tiny. It's fairly easy to set up and you can be reasonably sure it won't screw up your site if it fails for some reason.
Last time I tried this, I used Lego, which was very easy:

https://github.com/xenolf/lego

Does anyone know how long it will be since nginx gets native support for ACME, like Caddy has?

Still looks like a lot of files just to do "./opt/letsencrypt/letsencrypt-auto renew" Once a week (using cron) and restarting Nginx in case there is a new cert. Which is all you need really.

If Nginx would just start serving the new cert as soon as a new one is generated, that would be a nice feature and make things even less complicated (new cert is now the only reason to restart Nginx, apart from updates).

Reloading nginx works for certs. The tradeoff to "a lot of files" is that it doesn't need to be installed and it doesn't mess with your webserver configuration, which, if you're deploying things properly, will just get overwritten next time by your provisioning software.
I currently have it hooked up into Ansible, which generate a cert automatically for each domain we load balance (in Haproxy). It works very well, although wildcards would be much nicer.