Lets Encrypt on Arch Linux with Nginx and automatic renewals

Standard

This is a very quick guide for setting up Let’s Encrypt on Arch Linux, so you can get free, browser-trusted SSL certificates for all your (sub)domains. Start by installing simp_le-git from AUR:

$ wget https://aur.archlinux.org/cgit/aur.git/snapshot/simp_le-git.tar.gz
$ tar -xzvf simp_le-git.tar.gz
$ cd simp_le-git && makepkg -si

We used simp_le here because the official Let’s Encrypt client tries to automatically alter your webserver configuration and as any self-respecting sysadmin would tell you, that’s a big no-no.

Now, let’s create a certificate for our domain, in this case le.example.com. First, you need to choose a directory where you can store your certificate like this:

# mkdir -p /srv/certs/le.example.com

You can obviously choose a different directory. Now that everything is set, let’s create the certificates!

# cd /srv/certs/le.example.com
# /usr/bin/simp_le -d le.example.com:/path/to/my/webroot -f key.pem -f cert.pem -f fullchain.pem

Your directory should now contain three pem files. Now, let’s add these certificates to nginx. Open your virtualhost configuration and edit the “server” definition like this:

server {
    listen 443;
    ssl on;
    ssl_certificate /srv/certs/le.example.com/fullchain.pem;
    ssl_certificate_key /srv/certs/le.example.com/key.pem;
    server_name le.examle.com;

    // rest of your config
}

If you’d also like to redirect all HTTP traffic to SSL, add the following server definition:

server {
    listen 80;
    server_name le.example.com;
    return 301 https://$server_name$request_uri;
}

Make sure you didn’t make any syntax errors:

# nginx -t

If all went well, just restart nginx:

# systemctl restart nginx

And that’s it! You should now be able to open https://le.example.com and http://example.com should redirect to the former.

Finally, let’s set a cronjob to automatically update our certificate when needed. Open up root’s crontab with:

# crontab -e

and add the following lines:

# Update lets encrypt certs for le.example.com
00 1 * * * cd /srv/certs/le.example.com && /usr/bin/simp_le -d le.example.com:/path/to/my/webroot -f key.pem -f cert.pem -f fullchain.pem && systemctl reload nginx

This will check your certificates once every day and, if necessary, update them and reload nginx (It won’t be reloaded if no update is required).

I hope this guide is useful to someone willing to try out Let’s Encrypt. If you have any question, do let me know in the comments.

Leave a Reply

Your email address will not be published. Required fields are marked *