ZeroSSL - Windows Tool

lets encrypt Nov 3, 2017

UPDATE 2020: Take a look here

I have posted previously regarding gaining a SSL certificate for your own domain name. Previous post here.

This post will demonstrate gaining a cert using a Windows Tool. The tool is available from ZeroSSL here.

ZeroSSL Tool

Download the file which represents your file system x32 or x64. Unzip the file and you should see a single file called le64.exe

enter image description here

NGINX Config & File Structure

To get the tool to automatically fetch certificates we need to amend the NGINX config slighty.

We need to add the following line to each server block

   location ^~ /.well-known/acme-challenge/ {
}

Here is my emby block with the line above

##EMBY Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name emby.mydomain.com; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:8096;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        }
        location ^~ /.well-known/acme-challenge/ {
}
}

The extra line allows the ACME challenge to verify you own the domain that you are trying to get a certificate for. The line above needs to be added to each Server Block for it to work.

Save the config and restart NGINX

LE64.exe

Next we need to use a command line to start le64.exe with our custom arguments.

In your command prompt change the directory to where you extracted the LE64.exe to

CD C:\le64\

Now run the following command

le64.exe --key account.key --email "[email protected]" --csr domain.csr --csr-key domain.key --crt domain.crt --domains "mydomain.com,emby.mydomain.com,www.mydomain.com,plex.mydomain.com" --generate-missing --unlink --path E:\NGINX\html\.well-known\acme-challenge

There's a few options you need to change

  • --email "[email protected]" - to your email address keeping the ""
  • --domains "mydomain.com,emby.mydomain.com"   (list all your domains you want the cert to cover - i think max is 50~)
  • --path E:\NGINX\html.well-known\acme-challenge   (change E:\NGINX to your NGINX locaiton, keeping the html.well-known....

when you hit enter it will test your setup for the correct files and config, it basically gets a fake certificate. if this completes with no errors you now need to add the argument --live to the end of the script above, like so

le64.exe --key account.key --email "[email protected]" --csr domain.csr --csr-key domain.key --crt domain.crt --domains "mydomain.com,emby.mydomain.com,www.mydomain.com,plex.mydomain.com" --generate-missing --unlink --path E:\NGINX\html\.well-known\acme-challenge --live

hit enter and it should go off an fetch your real domain.csr account.key and domain.crt and domain.key. these will be downloaded into the le64 folder. Keep the csr and account.key safe, you will need these for renewal.

Now you have all this setup you can re-run the above le64.exe script come renew and its all done.

Tags

Peter Evans

Recommended for you