Foxy's (mis)Adventures with NetBSD

One of the minor nuances I faced generating SSL certificates using certbot is
the fact that I did not understand the difference between “standalone” and
“webroot” based approach to obtaining a new certificate. This was partially due
to my impatience and ignorance of reading up the manual.

After I got timed out for too many retries, I looked up a bit more into the
certbot documentation and understood that “webroot” is the right option for me
since I already had a nginx(8) instance up and running and it is just a matter
of making nginx(8) configuration for a particular website point in the right
location.

By peeking into trouble@’s configuration of nginx(8) instances using let’s
encrypt, I came across this rather nice template for the initial setup.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
server {
    listen 192.168.1.20:80;
    server_name example.com subdomain.example.com;
    access_log off;

    resolver 1.1.1.1;

    # For ACME Let's encrypt!
    location /.well-known/acme-challenge/ {
        alias /usr/local/www/.well-known/acme-challenge/;
        try_files $uri =404;
        allow all;
    }

#    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
#    location / {
#        rewrite ^ https://$server_name$request_uri? permanent;
#    }
}

The commented lines can be taken out once you have the certificate setup and a
SSL section written for the nginx(8) instance. Do not forget to restart / reload
the nginx(8) instance for the configuration changes to take effect.

One way to test if the above set up is functioning correctly would be to put a
file at /usr/local/www/.well-known/acme-challenge/file.txt and then access it
via http://example.com/.well-known/acme-challenge/file.txt. if you can see the
contents of the file, your configuration is good to go.

Doing a webroot based certbot run should yeild a proper certificate

$ certbot certonly --webroot -w /usr/local/www -d example.com -d subdomain.example.com

NOTE: certbot’s standalone option should be used when you do not have a HTTP
server up and you want certbot to run the server locally and then grant the
certificate.

Notes on certbot

Recent Posts

Tags