I want to use Certbot with Let’s Encrypt, but I don’t want my webserver to hand over the certificate to everyone knocking at my front door at poort 443.
Here’s how: I presume you have nginx and certbot installed.
Generate a self-singed certificate:
mkdir /etc/nginx/ssl/ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Now use this certificate for the default listener. Also respond with a http 444 (empty reponse).
server {
server_name _;
listen 80 default_server;
listen 443 ssl default_server;
# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
return 444; # no reponse
}
After that, all you have to do is create a file in /etc/nginx/sites-enabled/ e.g. blog.mydomain.com
server {
listen 443 ssl;
server_name blog.mydomain.com;
root /var/www/blog.mydomain.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
Reload nginx.
Then run Certbot and follow the steps:
certbot --nginx --staple-ocsp -d blog.mydomain.com
Connecting with ssl without the proper host-header will now present the self-signed certificate and reponds with an empty reponse.