I’ve been running this site on nearlyfreespeech for some time now.
Last week I created a cert using the tools and service made available by letsencrypt.org, and then configured my NFS server to use it. It was pretty easy, but not documented. I’ll share here what I did to make it work.
I am able to SSH into the nearlyfreespeech server. I can also perform a git clone from that server to get the letsencrypt tools. But when I ran the letsencrypt-auto tool from the server, it didn’t do what I wanted it to do. This was my first time with the tool, and I’m unfamiliar with the options, so maybe it was just pilot error.
In any case, I solved it by running the tool on my Mac OSX machine and transferring the generated PEM files to the server.
- I ran git clone on my local workstation (Mac OSX)
- from there, I ran the letsencrypt tool with these options:
./letsencrypt-auto certonly --manual \ -d www.dinochiesa.net -d dinochiesa.net \ --email email@example.com
- follow the instructions. I needed to create endpoints on my NFS server that responded with specific values.
- when that completed, I had the cert and keys in PEM format. I then copied them to /home/protected/ssl on the NFS server
- opened a service ticket on NFS as per This FAQ
- a couple hours later, the NFS people had completed the SSL config for me
Maybe this will help someone else.
It’s possible that I could have used the –manual option on the NFS Server, and avoided the need to transfer files. Not sure. If anyone else has done this, I’d like to know. I will need to renew my certs every couple months.
I’m really pleased about the letsencrypt service. I hope it gets used widely.
Update, 2017 December 7: I’ve updated my certs 3 or 4 times since I made this post. Now, this is what I do:
sudo certbot certonly \ --authenticator manual \ --domain www.dinochiesa.net \ --domain dinochiesa.net \ --email firstname.lastname@example.org \ --rsa-key-size 4096
I’ve automated the other parts – creating the right endpoints on the NFS server, and then copying the generated certs when they’re sent. Also NFS no longer requires a service ticket; it will automatically install certs when I update them. The change takes a minute or less. Super easy.