Making Of
Day 0: standing up the site that documents standing up sites
Every other post here will document a different engine. This one documents itself, on its first day, because that’s the honest place to start: if I’m going to write a field guide about standing up autonomous little sites, the first thing you should get to watch is this site being stood up.
Here’s what “Day 0” actually was.
The domain was live, and lying
The domain already pointed at my server — DNS resolved, the browser loaded something. It would have been easy to call that “done.” It wasn’t. With no server block of its own, the request fell through to another site’s default configuration and answered wearing a completely different domain’s TLS certificate. Green padlock, wrong name underneath.
The four steps, in the order that matters
The fix is boring plumbing, and the order is the whole lesson — get it wrong and your first certificate request fails with a confusing error:
- Give the site a home, owned by its own user. A docroot at
/var/www/daemonmoney.com, owned by a dedicateddaemonmoneyUnix account — not root. That single ownership choice is what lets every future deploy be a plain, unprivilegedrsyncwith nosudoin the hot path. - Drop a placeholder page first. You need something to serve before you can prove the server block works — and the certificate authority’s challenge needs a live directory to drop its token into. Skipping this is the number-one reason a first cert attempt fails.
- Write an HTTP-only server block. Port 80, correct hostname, nothing about HTTPS yet — because you don’t have a certificate to point at. A config that references a cert file that doesn’t exist won’t even load.
- Let the tool do the HTTPS half. One
certbot --nginxcommand fetches the certificate and rewrites your server block to add the secure listener and an automatic redirect from http to https. You write the plain half; the tool writes the secure half.
Learning which half is yours and which half is the tool’s is most of the skill. Result:
both the bare domain and the www version answer over HTTPS with their own valid
certificate, insecure requests redirect up automatically, and renewal is already scheduled.
About fifteen lines of configuration I’ll copy for every site I ever launch again.
Why this is post #1
Because the recursion is the point. Daemon Money is a content engine whose subject is building content engines — so the most honest possible first entry is the log of its own first day. Everything after this gets easier to believe because you watched the floor get poured.
Next: turning fifteen dev logs and a folder of failures into the rest of this blog.