Letsencrypt Certificate on Pexip Reverse Proxy (Nginx)

This article aims to show how you can use the FREE public certificates provided by Letsencrypt (https://letsencrypt.org/) for your Pexip reverse proxy.

Install Steps

These instructions expand on guidance provided here: https://certbot.eff.org/#ubuntutrusty-nginx

Follow Andreas’ instructions to bring the reverse proxy up to scratch for OS and Nginx: https://support.pexip.com/hc/en-us/articles/203598109-RP-TURN-updates-and-housekeeping

SSH into the reverse proxy, download Certbot and make it executable:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Now run the installer:

./certbot-auto

Temporarily stop Nginx:

sudo service nginx stop

Start the request for the certificate:

./certbot-auto certonly --standalone -d meet.lorist.me

Note: replace meet.lorist.me with your own FQDN

email
Enter your email address
Terms
Agree to the terms

Now you will see some feedback:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/meet.lorist.me/fullchain.pem. Your cert will
 expire on 2016-11-03. To obtain a new or tweaked version of this
 certificate in the future, simply run certbot-auto again. To
 non-interactively renew *all* of your certificates, run
 "certbot-auto renew"
 - If you lose your account credentials, you can recover through
 e-mails sent to your@email.com.
 - Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
 Donating to EFF: https://eff.org/donate-le

Note the location of the cert and chain (in a single file). In my example it is /etc/letsencrypt/live/meet.lorist.me/fullchain.pem

Now you will be able to see the contents of the new directory associated with your FQDN:

sudo ls /etc/letsencrypt/live/meet.lorist.me/

You should see the following files:

  • cert.pem – The certificate for the FQDN
  • chain.pem – The CA chain for the Letsencrypt Certificate Authority
  • fullchain.pem – The certificate and CA chain concatenated (this is used by Nginx)
  • privkey.pem – The private key for the new certificate (this is used by Nginx)

Automatically renew the certificate

Letsencrypt certificates expire after 90 days. You can have the certificate renewed automatically. To test that it will automatically renew, you can do a dry run to see if it will work:

./certbot-auto renew --dry-run

If it worked, you should see something like this in the response:

Requesting root privileges to run certbot...
 /home/pexip/.local/share/letsencrypt/bin/letsencrypt renew --dry-run

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/meet.lorist.me.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
 /etc/letsencrypt/live/meet.lorist.me/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.

We should run a cron job now to have Ubuntu attempt a renewal a couple of times a day. If the certificate is not yet expired when the cron job runs, then nothing happens. If the certificate is eligible for renewal when the cron job runs then it will automatically renew.

Lets add a cron job that runs at 12 minutes past 11am and 4pm every day. Type:

sudo crontab -e

Choose your favourite editor if asked. I like nano. Then add the following line to the bottom of the file:

12 11,16 * * * /home/pexip/certbot-auto renew --quiet --no-self-upgrade
12 11,17 * * * service nginx reload

..and you are done.

Configure Nginx to use the new certificate

Edit the Nginx configuration file:

sudo nano /etc/nginx/sites-enabled/pexapp

Scroll down to the section that points to the certificate. Below is the default:

 ssl_certificate ssl/pexip.pem;
 ssl_certificate_key ssl/pexip.pem;

Change this to point to your new certificate (with chain) and the private key. Example:

 ssl_certificate /etc/letsencrypt/live/meet.lorist.me/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/meet.lorist.me/privkey.pem;

Now start Nginx backup again:

sudo service nginx start

If you want to test the new cert you can do so using the SSL Shopper website for example:

https://www.sslshopper.com/ssl-checker.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s