Tag: let’s encrypt

Using certbot apply let’s encrypt certificate

Using certbot apply let's encrypt certificate

In order to use NGINX module, certbot needs to use it's own NGINX server or it needs to modify the NGINX configuration.

Steps

Preparation

  • Shutdown application which listening on port 80 and port 443
docker stop nginx
  • Install software if haven't installed

Note: skip this step if packages installed

apt install certbot
apt install python3-certbot-nginx
  • Request certificate

Note: do not need to start nginx service, certbot will start it automatically

certbot certonly --nginx -d <domain1> -d <domain2>
  • certificate location

Certificate can be found in following directory

ls /etc/letsencrypt/live/domain1/
  • stop nginx created by certbot
systemctl stop nginx
systemctl disable nginx
  • setup docker certificates

Copy privkey.pem and fullchain.pem into docker configuation directory.

Another way

Run certbot docker choud be better as no additional package install, and the certbot service can be stopped using docker command

References

Issue using certbot with nginx
Get Certbot

Install *Synology* NAS managed *Let’s Encrypt Certificate* in *NGINX*

Install Synology NAS managed Let's Encrypt Certificate in NGINX

Certificate Management

Synology NAS can be used for certificate management, and Let's Encrypt certificate can be exported as ZIP file used for NGINX HTTPS configuration.

  1. Go to Control Panel -> Security -> Certificate
  2. Select certificate to be exported
  3. Select Export Certificate from right click menu
  4. Save exported file

In downloaded ZIP file, following files can be found.

  • certs.pem
  • chain.pem
  • privkey.pem

NGINX configuration

  1. Concatenate cert.pem and chain.pem to cert-with-chain.pem (or fullchain.pem) file

  2. Copy cert-with-chain.pem and privkey.pem into NGNIX conf.d folder

  3. Verify NGINX configuration as below

ssl_certificate     conf.d/cert-with-chain.pem;
ssl_certificate_key conf.d/privkey.pem;
  1. Restart NGINX

Verification

Browser

The date of issue for new certificate should be displayed in certificate information window.

Command line

Following command can be used for verification

openssl s_client -connect <domain_name>:<port>

If got following error, concatenate chain.pem into cert.pem, because the full chain is required.

verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate

References

How to install Let's Encrypt on Nginx

Replace Certificate in Synology NAS

Replace Certificate in Synology NAS

Fill up info

Following steps can be used to replace certificate (not renew) in Synology NAS user interface.

  • Go to Control Panel -> Security -> Certificate
  • Select Add -> Add
  • Select Replace an existing certificate
  • Choose the certificate to be replaced
  • Select Get a certificate from Let's Encrypt
  • Fill up info, includes domain, email, alias (seperated by semi-colons)

Change port forwarding

Now, make sure Synology NAS can be accessed from internet via port forwarding at port 80 and 443 if required.

Suggest using A * record in DNS entry to avoid DNS change. Use NGINX to redirect traffic to this host.

Generate

Then generate certificate.