How to renew Certbot (Let's Encrypt) for Rails app with Capistrano

I recently wrote article on how to enable free SSL for web-site. Now, when I need this cert to renew I do the following:


certbot certonly -a webroot --webroot-path=/var/www/erudinsky.com/current/public/ -d erudinsky.com -d www.erudinsky.com

My project lives in /var/www/erudinsky.com/ and it is deployed by Capistrano. So current folder is just a symlink to another folder with last release. Certbot for renewal of itself creates random file and verifies if it can access through http this file. So we need to teach rails to show up random file on-demand for verification.

  • Reconfigure Nginx config for web-site (if you run another http server let me know);
  • Fix deploy.rb;
  • Cron renewal task.

Nginx configuration

Add the following in your server {} configuration. This tells nginx to serve content from /.well-known folder.


location ~ /.well-known {
    allow all;
}

Don't forget to /etc/init.d/nginx restart to apply settings to the server.

Capistrano configuration

In order to symlink shared folder (so every time we make deploy we don't either erase / detach content) from there, let's add the following:


set :linked_dirs, %w{ public/.well-known }

This means public folder (from domain) serves content from /path/to/website/shared/public/. Actually :linked_dirs is widely used for serving users data (e.g. files upload etc).

Cron renewal

The last peace should be even easier. Just add certbot renew into your cron every 3 month (cert is valid for three months).


In short, this is about:
#certbot
#capistrano
#ssl
#rails

Start discussion:
Related articles:
115 how to run rails app with postgres puma and nginx in docker preview
Docker opens wide range of options for applications delivery. It is not just deployment tool, but great for testing and development. Even for production ... ... more
6 months#rails #docker
98 free https ssl certificate for your site preview
Few steps from http to https.. or how I moved to A+ rating with my blog. ... more
about 1 year#https #ssl