Setup Letsencrypt certificate

[scottmuc]

https://serverfault.com/questions/1031317/how-can-lets-encrypt-verify-the-identity-over-insecure-http

[scottmuc]

Ended up with the config:

server {
    server_name www.goodenoughmoney.com;

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/www.goodenoughmoney.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.goodenoughmoney.com/privkey.pem;

    index index.html index.htm;
    root /opt/goodenoughmoney;
}

server {
    server_name www.goodenoughmoney.com goodenoughmoney.com;

    listen 80;

    # if not a certbot challenge redirect to the https listener
    # and ensure the www.goodenoughmoney.com server_name
    if ($request_uri != /.well-known/acme-challenge/testfile) {
      return 301 https://www.goodenoughmoney.com$request_uri;
    }

    # only in the context of a certbot challenge
    root /opt/goodenoughmoney;
}

[scottmuc]

Command to install and renew certificate: sudo certbot certonly --webroot -w /opt/goodenoughmoney -d www.goodenoughmoney.com -m "scottmuc@gmail.com"

[scottmuc]

Also explored certbot renew and observed the following error... something for another day.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.goodenoughmoney.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.goodenoughmoney.com
Cleaning up challenges
Attempting to renew cert (www.goodenoughmoney.com) from /etc/letsencrypt/renewal/www.goodenoughmoney.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for www.goodenoughmoney.com:. Skipping.