Certificates 🔗

We're proudly using free Let's Encrypt certificates on peori.space.

Useful links:

• certs.peori.space

Create a new certificate 🔗

Create a new certificate with:

sudo certbot certonly --webroot -w /var/lib/letsencrypt/ -d <new subdomain>.peori.space

If you want more than one certificate, pass -d multiple times.

Let's Encrypt will send you a challenge before letting you create the domain for real. The challenge can be done via HTTP or via DNS.

HTTP Challenge 🔗

Let's Encrypt will request /.well-know n/acme-challenge/${FILENAME} on the domain you're trying to register, and expects to receive the content of /var/lib/letsencrypt/${FILENAME}: a temporary file kindly created by certbot. This can be achieved by having an Nginx vhost similar as the following:

server {
	listen 80;
	server_name ${SUBDOMAIN}.peori.space;

	location /.well-known/acme-challenge {
		root /var/lib/letsencrypt;
		default_type "text/plain";
		try_files $uri =404;
	}
}

Or to make it simpler...

server {
	listen 443 ssl;
	server_name ${SUBDOMAIN}.peori.space;
	include vhosts-conf/servers-peoro/global/restrictions.conf;
}

Remember to change the ${SUBDOMAIN} and to sudo systemctl reload nginx.

DNS Challenge 🔗

No idea. Ask @yuri ❤️

Use the certificate 🔗

You'll have to tell whichever service you want to use the certificate for to use it.

With Nginx this is pretty simple.

Just add the following to a server block:

listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${SUBDOMAIN}.peori.space/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${SUBDOMAIN}.peori.space/privkey.pem;

And once again, change ${SUBDOMAIN} and sudo systemctl reload nginx.