Let’s Encrypt, an initiative of the EFF, Mozilla, and many other organizations, offers free certificates through Certbot. Certbot is designed to run directly on a web server, normally by a system administrator, because it is able to automatically generate Let’s Encrypt SSL certificates for any web server or web application. Most well-known web servers, like Apache and Nginx, can be directly configured using standard plugins, while others are supported using a generic mode that’s compatible with the majority of web applications.
If you run either Apache or Nginx, you can work with the -apache or -nginx switch to automate your Let’s Encrypt generation, renewal, and installation process.
If you have a web server that requires you to work in a generic mode, you can use the -webroot switch to complete the same automatic renewal process. If you can’t access your web server’s root file system, an alternative method is to use certbot-auto’s web server, accessed by the -standalone switch, to produce the certificates.
Note: Let’s Encrypt issues short-lived certificaticates that last 90 days, make sure that you or the sysadmin set aside time to renew your certificates every three months. Most Certbot installations come out of the box with automatic renewal set up.
You can set up a scheduled task to automatically renew your certificates in the background by following these instructions:
Note: For these instruction to set up Certbot to automate your SSL certificate generation process, you have to confirm that you’re running it on the production box of the web application. The DNS has to be set up for the production box to run correctly and the automated generation process is based on this set up.
- Install Certbot
- Install Cron if you don’t already have it
• Run the following line, which will add a cron job to /etc/crontab:
SLEEPTIME=$(awk ‘BEGIN{srand(); print int(rand()*(3600+1))}’); echo “0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q” | sudo tee -a /etc/crontab > /dev/null
- Obtain your first certificate
• The easiest scenario is if you’re operating on a supported, popular web server such as Apache or Ngnix, which will handle the process through your web server’s plugin. This happens after you invoke the switch, which creates and installs the certificate for you.
• If you’re running an unsupported web server, you need to give Certbot access to the root of your web server and state where to install the web challenge. Don’t forget to specify which domain the certificates will be issued for. You should also note that you’ll have to covert the certificates into the correct format because Certbot won’t know.
Note: If you need to stop your web server to run Certbot, you should add pre and post hooks to automatically stop and start your web server during this process.
- Install your certificate
Assuming your web server will be looking in /var/certificates, this is what you would do.
- Renew regularly:
• Remember that Let’s Encrypt certs are short-term and to schedule renewal every 3 months. Use the following command to renew: /usr/local/bin/certbot-auto renew
Note: the above command won’t work if its too early for a certificate renewal. You can use Cron to set up a job, which will automatically initiate the renewal process every week until the correct interval of time has passed from the last issue date. You will receive notification emails from the CA if you fail to renew certificates about to expire. You can monitor the certificate expiration with ElevenGuard and get notified beforehand, otherwise your site could become unreachable, decreasing your traffic.
- Install the renewed certs
Don’t forget to install the certs after the renewal, your keys will be copied into /etc/letsencrypt/live, and your web server won’t know about the certs until you install the keys. Simply repeat step 4 each time your certificates are renewed, this can be done with a Cron job as well.