To install certbot, follow the instructions on https://certbot.eff.org/
Since writing these instructions Certbot have automated, making this task considerably easier!
Following the instructions it is possible to install and configure NGINX automatically, without following the instructions below.
The command to get certificates from certbot: You need to include all the subdomains used in the stack.
sudo certbot certonly --webroot -w /var/www/html -d www.smart-factory.net,smart-factory.net,dev.smart-factory.net
To renew certificates (one time test)
certbot certonly --webroot -w /var/www/html --cert-name zibawa.com -d zibawa.com,www.zibawa.com,app.zibawa.com,dashboard.zibawa.com,ldap.zibawa.com,rmq.zibawa.com,docs.zibawa.com
It is essential that all applications that need access to ssl certificates have the appropriate permissions to read.
The below assumes that your certificates are being created by letsencrypt ( group letsencrypt) However the same concept would apply if you are self certifying. In case of self certification, the user group is probably ssl-cert.
Certificates are stored here
ssl_certificate full chain /etc/letsencrypt/live/zibawa.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/zibawa.com/privkey.pem; ssl_certificate_certificate /etc/letsencrypt/live/zibawa.com/cert.pem;
|/etc/letsencrypt/live/zibawa.com/cert.pem||Your domain's certificate|
|/etc/letsencrypt/live/zibawa.com/chain.pem||: The Let's Encrypt chain certificate|
|/etc/letsencrypt/live/zibawa.com/fullchain.pem||cert.pem and chain.pem combined|
|/etc/letsencrypt/live/zibawa.com/privkey.pem||Your certificate's private key|
Create group letsencrypt
sudo addgroup letsencrypt
Change ownership of all files to 750 Attention! Some applications (such as postgres) require that their private key be 640 or less, so below wont work if you have such an application, and will need to change individual certificates to 640.
sudo chmod 750 /etc/letsencrypt sudo chmod 750 /etc/letsencrypt/live sudo chmod 750 /etc/letsencrypt/keys sudo chmod 750 /etc/letsencrypt/csr sudo chmod 750 /etc/letsencrypt/archive
Change ownership of files to root:letsencrypt
sudo chown -R root:letsencrypt /etc/letsencrypt
Add the following users to group letsencrypt
sudo usermod -a -G letsencrypt grafana sudo usermod -a -G letsencrypt rabbitmq sudo usermod -a -G letsencrypt openldap sudo usermod -a -G letsencrypt zibawa sudo usermod -a -G letsencrypt influxdb sudo usermod -a -G letsencrypt postgres
Now you are ready to configure SSL