NGINX SSL on OS X with a letsencrypt cert

13 Jun 2016

Certbot (https://github.com/certbot/certbot) is the client previously known as the “Let’s Encrypt Client.” I’m using it on my OS X machine to provide a free SSL cert for an NGINX SSL termination instance.

As of last week (June 6, 2016), there was still a bug in the header generation for OS X that would prevent the client from working, the fix was to not allow the client to update itself.

Once you walk through the usual letsencrypt setup choosing certonly, you may need to use the standalone auth mechanism if you’re running NGINX on a port other than the default (443).

Your certs will be output to /etc/letsencrypt/live/www.yourhostname.com/ so set up links for nginx.conf

$ cd /usr/local/etc/nginx
$ sudo ln -s /etc/letsencrypt/live/www.yourhostname.com/privkey.pem ssl-nopw.key
$ sudo ln -s /etc/letsencrypt/live/www.yourhostname.com/fullchain.pem ssl-unified.crt

resulting in

rwxr-xr-x  1 root   admin    47  8 Jan 20:52 ssl-nopw.key -> /etc/letsencrypt/live/www.yourhostname.com/privkey.pem
lrwxr-xr-x  1 root   admin    49  8 Jan 20:52 ssl-unified.crt -> /etc/letsencrypt/live/www.yourhostname.com/fullchain.pem

and the corresponding nginx.conf entry:

    server {
        listen       443 ssl;
        server_name  www;
        ssl_certificate      ssl-unified.crt;
        ssl_certificate_key  ssl-nopw.key;
        [...]
    }

References

  1. Where to set NGINX SSL settings in nginx.conf
  2. Setting up automatic check with launchctl