All threads / Free SSL with Rails and Nginx using Let's Encrypt

Ask A Question

Notifications

You’re not receiving notifications from this thread.

Free SSL with Rails and Nginx using Let's Encrypt

Chris Oliver asked in General

nice tutorial! exactly what i was looking for!

Alejandro Ventura ·

I got this error after running *./letsencrypt-auto*


...
Setting up python-pkg-resources (20.7.0-1) ...
Setting up python-virtualenv (15.0.1+ds-3ubuntu1) ...
Setting up python3-virtualenv (15.0.1+ds-3ubuntu1) ...
Setting up virtualenv (15.0.1+ds-3ubuntu1) ...
Processing triggers for libc-bin (2.23-0ubuntu5) ...
Creating virtual environment...
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
main()
File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
symlink=options.symlink)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
download=download,
File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /home/deploy/.local/...ncrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1

Any help with this?

Jaunty Kaushal ·

I used: sudo apt install letsencrypt

It worked well (you just have to update the paths for the command).

Getting the following error after running `./letsencrypt-auto`

`Failed to install a working "virtualenv" command, exiting`

I followed these steps and found that `sudo apt-get install letsencrypt` got me up and running. No need to install from github source. https://certbot.eff.org/#ub...

@excid3:disqus what do you mean by `Add the following lines to your server block for your app and be sure to change example.com to your domain.`

Where do I find the `server block`? Is this the `/etc/nginx/nginx.conf` file `server { }`

Or in my case as I am running passenger `sudo nano /etc/nginx/sites-enabled/default`

holy shit it works!

I also added `30 2 * * 1 letsencrypt renew` to my cronjobs as I have letsencrypt installed

Awesome! So is there any way to know for sure that the renew cron job is running? I guess one way is to just make sure I'm not getting renewal emails? It'd be nice if there was some way to check the status of a cert, or to know that the job ran?

Let's encrypt should write logs somewhere, or you could tack on a little bash snippet have it output top your own log file too and write the last timestamp it ran.

vic turuthi ·

Awesome tutorial Chris. You're the best. I restarted the server with no error. However, the browser still shows that my connection is insecure and doesn't show a green padlock. SSL checker shows that the two domains www.example.com and example.com are encrypted. What could be the issue?

Hey Chris Oliver any tips for doing this when running multiple domains on one server or having subdomains. ie example..com and foo.example.com. I have two server blocks for nginx but they are trying to share the same certificate so chrome throws an error around security.

You'd want two server blocks like you said and each one would point to different SSL certs if you wanted them both on SSL.

Cheers that is what I ended up doing. Had to figure out how to create the two server blocks but ended up with all as follows. This was two apps on one server, one app called example and the other called foo with foo directed to subdomain foo.example.com but using the example.com certificate.

/etc/nginx/sites-available/example.com
server {
listen 80;
listen [::]:80;

server_name example.com;
passenger_enabled on;
passenger_ruby /home/deploy/.rbenv/shims/ruby;
rails_env production;
root /home/deploy/example/current/public;

# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /home/deploy/dhparams.pem;
}

/etc/nginx/sites-available/foo.example.com
server {
listen 80;
listen [::]:80;

server_name foo.example.com;
passenger_enabled on;
passenger_ruby /home/deploy/.rbenv/shims/ruby;
rails_env production;
root /home/deploy/foo/current/public;

# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /home/deploy/dhparams.pem;
}

then symlinked them in the sites-enabled directory

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/foo.example.com /etc/nginx/sites-enabled/

then ran the lets encrypt using certbot

sudo certbot certonly --webroot --webroot-path /home/deploy/sales_playbook/current/public --renew-by-default --email me[email protected] --text --agree-tos -d example.com -d foo.example.com

Manoj Aryan ·

Failed authorization procedure. time out

Hi! Thanks for the awesome tutorial. I have a problem after the certbot installation on server. And now I can't run rake assets:precompile as usual. How can I fix this? I post my issue here: https://stackoverflow.com/q...

Join the discussion

Want to stay up-to-date with Ruby on Rails?

Join 39,609+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.

    logo Created with Sketch.

    Ruby on Rails tutorials, guides, and screencasts for web developers learning Ruby, Rails, Javascript, Turbolinks, Stimulus.js, Vue.js, and more. Icons by Icons8

    © 2020 GoRails, LLC. All rights reserved.