Skip to main content

Free SSL with Rails and Nginx using Let's Encrypt

General • Asked by Chris Oliver

nice tutorial! exactly what i was looking for!



I got this error after running *./letsencrypt-auto*


...
Setting up python-pkg-resources (20.7.0-1) ...
Setting up python-virtualenv (15.0.1+ds-3ubuntu1) ...
Setting up python3-virtualenv (15.0.1+ds-3ubuntu1) ...
Setting up virtualenv (15.0.1+ds-3ubuntu1) ...
Processing triggers for libc-bin (2.23-0ubuntu5) ...
Creating virtual environment...
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
main()
File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
symlink=options.symlink)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
download=download,
File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /home/deploy/.local/...ncrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1

Any help with this?

I used: sudo apt install letsencrypt

It worked well (you just have to update the paths for the command).


Getting the following error after running `./letsencrypt-auto`

`Failed to install a working "virtualenv" command, exiting`

I followed these steps and found that `sudo apt-get install letsencrypt` got me up and running. No need to install from github source. https://certbot.eff.org/#ub...


@excid3:disqus what do you mean by `Add the following lines to your server block for your app and be sure to change example.com to your domain.`

Where do I find the `server block`? Is this the `/etc/nginx/nginx.conf` file `server { }`

Or in my case as I am running passenger `sudo nano /etc/nginx/sites-enabled/default`

holy shit it works!

I also added `30 2 * * 1 letsencrypt renew` to my cronjobs as I have letsencrypt installed


Awesome! So is there any way to know for sure that the renew cron job is running? I guess one way is to just make sure I'm not getting renewal emails? It'd be nice if there was some way to check the status of a cert, or to know that the job ran?

Let's encrypt should write logs somewhere, or you could tack on a little bash snippet have it output top your own log file too and write the last timestamp it ran.


Awesome tutorial Chris. You're the best. I restarted the server with no error. However, the browser still shows that my connection is insecure and doesn't show a green padlock. SSL checker shows that the two domains www.example.com and example.com are encrypted. What could be the issue?


Hey Chris Oliver any tips for doing this when running multiple domains on one server or having subdomains. ie example..com and foo.example.com. I have two server blocks for nginx but they are trying to share the same certificate so chrome throws an error around security.

You'd want two server blocks like you said and each one would point to different SSL certs if you wanted them both on SSL.

Cheers that is what I ended up doing. Had to figure out how to create the two server blocks but ended up with all as follows. This was two apps on one server, one app called example and the other called foo with foo directed to subdomain foo.example.com but using the example.com certificate.

/etc/nginx/sites-available/example.com
server {
listen 80;
listen [::]:80;

server_name example.com;
passenger_enabled on;
passenger_ruby /home/deploy/.rbenv/shims/ruby;
rails_env production;
root /home/deploy/example/current/public;

# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /home/deploy/dhparams.pem;
}

/etc/nginx/sites-available/foo.example.com
server {
listen 80;
listen [::]:80;

server_name foo.example.com;
passenger_enabled on;
passenger_ruby /home/deploy/.rbenv/shims/ruby;
rails_env production;
root /home/deploy/foo/current/public;

# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /home/deploy/dhparams.pem;
}

then symlinked them in the sites-enabled directory

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/foo.example.com /etc/nginx/sites-enabled/

then ran the lets encrypt using certbot

sudo certbot certonly --webroot --webroot-path /home/deploy/sales_playbook/current/public --renew-by-default --email [email protected] --text --agree-tos -d example.com -d foo.example.com


Failed authorization procedure. time out


Hi! Thanks for the awesome tutorial. I have a problem after the certbot installation on server. And now I can't run rake assets:precompile as usual. How can I fix this? I post my issue here: https://stackoverflow.com/q...



Login or Create An Account to join the conversation.

Subscribe to the newsletter

Join 24,647+ developers who get early access to new screencasts, articles, guides, updates, and more.

    By clicking this button, you agree to the GoRails Terms of Service and Privacy Policy.

    More of a social being? We're also on Twitter and YouTube.