How do I set up Let's Encrypt auto-renewal?

T

timofy2021-07-12 03:47:40

Nginx

timofy, 2021-07-12 03:47:40

The bottom line is this:
We have our own server running CentOS 7, which uses the free Vesta CP as a control panel. With its help, I created an application on the server and installed a Let's Encrypt certificate for this application (site). I installed it not through Vesta, but through the terminal using certbot. I suppose that auto-renewal of the certificate would work without additional settings (I could be wrong), if not for the following nuances: when I first started installing the certificate, the attempt failed, since it turned out that the application was running on Apache on port 8080, but NGINX accepts requests and proxy them to Apache. Then I disabled NGINX during the installation of the certificate and in the Apache config I specified to listen on port 80, not 8080, I did the same in the Apache config of the application itself and rebooted Apache, After that I was able to install the certificate. After that, I returned all the settings to their place, restarted Apache again, launched INGINX and everything works, but ... I understand that in this case the certificate is unlikely to be able to update itself - you need to change something or additionally configure something for the auto-update of the certificate to work, but what needs to be done - tell me

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

P

Page-Audit.ru, 2021-07-12
@timofy

1. When obtaining / renewing a certificate, the Apache engine can not be used at all.
2. Create directory /var/www/letsencrypt
3. Create file /etc/nginx/letsencrypt.inc with contents

location /.well-known {

        allow           all;
        root            /var/www/letsencrypt;
        error_log       /var/log/nginx/!letsencrypt.error.log;
        access_log      /var/log/nginx/!letsencrypt.access.log;

    }

4. In the server section, include the letsencrypt.inc file
include letsencrypt.inc
5. In the /etc/letsencrypt directory, find the cli.ini file, it should contain the lines

webroot-path = /var/www/letsencrypt
authenticator = webroot
installer = None

6. Run the certbot renew command
7. In the crontab file, create the lines

# Certbot renew
0 0     15 * *  root    certbot renew --renew-hook "service apache reload; service nginx reload"

PS: If the update does not work in this way, then forget about the current certificate, get a new one without any shells, but immediately through the console programs according to the instructions for certbot for Nginx. In general, there should not be any particular difficulties, the only question is to clearly define where to take and where to put.

A

Alexey Dmitriev, 2021-07-12
@SignFinder

You need to set up issuing/renewing a certificate via the webroot path , and not via raising a temporary web server. Then it doesn't matter who and what is proxying - if your site root is available.
How to set up auto-update later - google it at a time - this is one line in cron.