This is a very quick guide for setting up Let’s Encrypt on Arch Linux, so you can get free, browser-trusted SSL certificates for all your (sub)domains. Start by installing simp_le-git from AUR:
$ wget https://aur.archlinux.org/cgit/aur.git/snapshot/simp_le-git.tar.gz $ tar -xzvf simp_le-git.tar.gz $ cd simp_le-git && makepkg -si
We used simp_le here because the official Let’s Encrypt client tries to automatically alter your webserver configuration and as any self-respecting sysadmin would tell you, that’s a big no-no.
Now, let’s create a certificate for our domain, in this case le.example.com. First, you need to choose a directory where you can store your certificate like this:
# mkdir -p /srv/certs/le.example.com
You can obviously choose a different directory. Now that everything is set, let’s create the certificates!
# cd /srv/certs/le.example.com # /usr/bin/simp_le -d le.example.com:/path/to/my/webroot -f key.pem -f cert.pem -f fullchain.pem
Your directory should now contain three pem files. Now, let’s add these certificates to nginx. Open your virtualhost configuration and edit the “server” definition like this:
server { listen 443; ssl on; ssl_certificate /srv/certs/le.example.com/fullchain.pem; ssl_certificate_key /srv/certs/le.example.com/key.pem; server_name le.examle.com; // rest of your config }
If you’d also like to redirect all HTTP traffic to SSL, add the following server definition:
server { listen 80; server_name le.example.com; return 301 https://$server_name$request_uri; }
Make sure you didn’t make any syntax errors:
# nginx -t
If all went well, just restart nginx:
# systemctl restart nginx
And that’s it! You should now be able to open https://le.example.com and http://example.com should redirect to the former.
Finally, let’s set a cronjob to automatically update our certificate when needed. Open up root’s crontab with:
# crontab -e
and add the following lines:
# Update lets encrypt certs for le.example.com 00 1 * * * cd /srv/certs/le.example.com && /usr/bin/simp_le -d le.example.com:/path/to/my/webroot -f key.pem -f cert.pem -f fullchain.pem && systemctl reload nginx
This will check your certificates once every day and, if necessary, update them and reload nginx (It won’t be reloaded if no update is required).
I hope this guide is useful to someone willing to try out Let’s Encrypt. If you have any question, do let me know in the comments.