I got my hands on the LetsEncrypt beta and already testing it out. Incase it wasn’t obvious, if you have sites that are SSL only (I have a few subdomains which do not operate on http/port 80), you will need to set them up. Here is a quick example of how I adjusted my Nginx to only support the LetsEncrypt script, but make sure everyone else is https only.
server
{
listen 80;
listen [::]:80;
server_name sub.domain.com;
location /.well-known/acme-challenge
{
root /srv/sub.domain.com/public_html;
}
location /
{
rewrite ^(.*) https://$server_name$1 permanent;
}
}
And if it helps anyone, the relevant portion of the server setup with SSL
server
{
listen 443 ssl;
listen [::]:443 ssl;
server_name sub.domain.com;
root /srv/sub.domain.com/public_html;
ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
Check your listen attributes. I’ve sometimes seen this cause things to not work and other times you need this in order for it to work (with IPv6). Do a configtest to make sure of your changes before restarting nginx.