The online space is increasingly becoming unsafe with hackers and fraudsters. One click on the wrong website and you could end up losing valuable information to dangerous attackers.
This trend has made many internet users more alert, staying away from unsecured sites. One of the ways they do this is by checking if it has a TLS/ SSL validation. If your website url starts with http and not https, it will automatically be flagged by browsers as suspicious, and even if they don’t, most users will steer clear of it.
An SSL/TLS certificate is the (s) that makes the difference between http and https. As such, having a valid certificate is vital to the success of any website. Your visitors want to be assured that their data is safe from phishing scams and other attackers
In this article, we look at Certbot SSL certificates, their use, renewal period, and renewal procedure.
What is Certbot Used For?
Certbot is software provided by Electronic Frontier Foundation (EFF) in an attempt to secure the internet. EFF exists to protect and defend civil liberties in the online world, which includes making it safe from hackers and scammers.
As important as it is, the process of obtaining a certificate from a Certified Authority (CA) can be hectic. You need to get your website ready, contact a trusted CA, then set it up correctly. You can avoid the hustle by using the EFF-provided Certbot.
Certbot will fetch a digital certificate from a trusted CA (Let’s Encrypt) and launch it for you. It also automates HTTPS management by allowing you to switch it on and off with simple commands.
The software will fetch Let’s Encrypt digital certificates and any other CA that uses the Automated Certificate Management Environment (ACME) protocol and configures web servers.
Here is how to know you can use Certbot.
- You are familiar with the command line
- You have an existing HTTP website with port 80 open online
- You have access to a server (dedicated, virtual private, or cloud-based)
What is Let’s Encrypt Certbot?
Let’s Encrypt Certbot combines a Certificate Authority and a client; Let’s Encrypt and Certbot consecutively.
Let’s Encrypt is an open and automated certificate authority that uses ACME to provide SSL Certificates. As a result, your online communication gets encrypted and kept safe. It was initiated by the EFF, Mozilla, and other organizations and runs on a web server where it can automatically generate certificates for web servers and applications.
One of the most popular clients for the CA is Certbot.
The following are characteristics of Let’s Encrypt:
- Free: Anyone can obtain a trusted certificate at no fee
- Secure: It will promote security best practices and secure servers
- Automatic: You can automate the process of obtaining, configuring, and renewing the license
- Transparent: All records of certification and revoke are public
- Open: it allows other CAs to use its renewal protocol
How Long Do Certbot Certs Last?
Certbot renews certificates every 60 days. However, it does not mean that the certificate from the CA lasts the same time; Let’s Encrypt certificates last for 90 days.
While 60 days seem like a short time, it is beneficial. It ensures you have a new certificate before the current one expires to secure your site continuously. It also gives you time to renew your digital license manually in case something goes wrong.
The short time given by Let’s Encrypt provides two advantages.
- They mitigate the risk of compromised keys and mis-issuance. In addition, the fast renewal makes the previous certificate void.
- It promotes the automation of certificate renewal. You won’t have to renew your certificate every three months manually.
Certbot Renewal Process
If you are using Certbot, it will handle your Let’s Encrypt Certificate every 60 days. Below we are going to take you through how to do so. Remember that the process below requires that you already have a valid Let’s Encrypt SSL certificate.
Here is how to renew a Let’s Encrypt certificate.
1. Locate Certbot-Auto Package
Your Certbot auto package is downloaded into the home directory when configuring your SSL. You can locate the package using the ls command.
If the package was downloaded into a different directory, please find it. If you are unsuccessful, you can find the package by executing the following command:
wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto
2. Transfer Certbot- Auto Package
Once you have traced the package, transfer it to the /etc/letsencrypt/ directory. You can achieve this by using the following command:
sudo mv certbot-auto /etc/letsencrypt/
Verify the move by using the command ls /etc/letsencrypt/ to see if it is present in the directory.
3. Configure Auto-Renew Script
Once you have verified the move, open your Crontab file by executing the command: sudo crontab -e and add a script at the bottom. The script will execute weekly to check if the expiration date is near.
The two scripts you can add include: 45 2 * * 6 cd /etc/letsencrypt/ && ./certbot-auto renew && /etc/init.d/apache2 restart for click to deploy and 45 2 * * 6 cd /etc/letsencrypt/ && ./certbot-auto renew && /opt/bitnami/ctlscript.sh restart for Bitnami users.
4. Conduct a Test Run
After adding the script, you need to ensure it works. You can conduct a dry run to check if the script will work. Perform the test using the following commands:
- sudo -i cd /etc/letsencrypt/ && ./certbot-auto renew –dry-run && /etc/init.d/apache2 restart for click to deploy users
- sudo -i cd /etc/letsencrypt/ && ./certbot-auto renew –dry-run && /opt/bitnami/ctlscript.sh restart for Bitmani users.
If it works, you are successful. Certbot will renew the certificates a month before expiry. You can visit Eleven Guard to confirm the expiration date.
Having a secure website will drive viewers to your website. They’ll be assured of data transfers and the ability to communicate without fear of fraud or scams. Since you don’t want to spend all your DevOps time and resources on processes you can easily automate, you should consider getting yourself a Certbot certificate.
Get yourself a trusted SSL certificate and ensure you renew it on time. ElevenGuard is a fail-safe plan to Certbot automated certificate renewal so you can get notified of certificate expiration dates before errors start happening.