Table of Contents
Ubuntu - Certificates - Let's Encrypt Certificates
Create and Update a LetsEncrypt SSL Certificate with CertBot
Install the Let's Encrypt client, certbot:
sudo apt-get install letsencrypt
If you already have a webserver running, it is recommended choosing the “webroot” plugin.
sudo letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
- This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
NOTE: Historically LetsEncrypt did not issue wildcard certificates by design, so you probably want to get a cert for www.example.com and example.com.
But recent changes allow this, such as:
certbot certonly --cert-name *.sharewiz.net -d sharewiz.net,www.sharewiz.net,wiki.sharewiz.net
NOTE: To use the webroot plugin, your server must be configured to serve files from hidden directories.
If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.
NOTE: To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:
letsencrypt certonly --standalone -d example.com -d www.example.com
NOTE: The Let's Encrypt client creates a temporary file in webroot-path/.well-known/acme-challenge/ containing the token used by the Let's Encrypt server to verify that you own the domain you are attempting to get a free ssl certificate for.
Config Files
The file /etc/letsencrypt/configs/my-domain.conf, where my‑domain is your fully qualified domain name (for example, www.example.com)
- /etc/letsencrypt/configs/my-domain.conf
# the domain we want to get the cert for; # technically it's possible to have multiple of this lines, but it only worked # with one domain for me, another one only got one cert, so I would recommend # separate config files per domain. domains = my-domain #domains = www.example.com,example.com,www.test.com,test.com # increase key size rsa-key-size = 4096 # the current closed beta (as of 2015-Nov-07) is using this server server = https://acme-v01.api.letsencrypt.org/directory # this address will receive renewal reminders email = my-email # turn off the ncurses UI, we want this to be run as a cronjob text = True # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) # and then letting LE fetch it authenticator = webroot webroot-path = /var/www/example/
NOTE: For multiple domains do not include a space after the comma:
domains = www.example.com,example.com,www.example2.com,example2.com
Generate your first cert
To generate your first cert, open a shell and execute the letsencrypt-auto script
# cd /root/letsencrypt # ./letsencrypt-auto --config /etc/letsencrypt/configs/example.com.conf certonly Updating letsencrypt and virtual environment dependencies....... Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/mydomain.conf certonly IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.example.com/fullchain.pem. Your cert will expire on 2016-02-05. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
NOTE: The certonly command: we only want to issue certificates and don't want the client to fiddle with our nginx config.
NginX config
Update your nginx sites to use the new certificate and private key:
- /etc/nginx/sites-available/example.com
server { ... ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem; ... }
Also add following lines in your nginx config:
- /etc/nginx/sites-enabled/default
# location ~ /.well-known { # allow all; # } # location /.well-known/acme-challenge { # root /var/www/example; # } location ~ /\.well-known\/acme-challenge { allow all; }
otherwise it will response an unauthorized error.
Permissions
We need a user www-data to be able to run the Python script letsencrypt-auto.
Restart Nginx
Verify the configuration file is syntactically valid and restart NGINX:
sudo nginx -t && sudo nginx -s reload
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire.
Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature.
You can test automatic renewal for your certificates by running this command:
letsencrypt renew --dry-run
or Monthly cron job in /etc/cron.monthly:
#!/bin/sh # create new certs cd /root/letsencrypt for conf in $(ls /etc/letsencrypt/configs/*.conf); do # ./letsencrypt-auto --renew --config "$conf" certonly ./letsencrypt-auto --renew-by-default --config "$conf" certonly done <WRAP todo> **TODO:** Check if letsencrypt-auto is now certbot-auto. </WRAP> # make sure nginx picks them up service nginx restart
or
#!/bin/sh cd /opt/letsencrypt/ #./certbot-auto --config /etc/letsencrypt/configs/my-domain.conf certonly ./certbot-auto --non-interactive --keep-until-expiring --agree-tos --quiet --config /etc/letsencrypt/configs/my-domain.conf certonly if [ $? -ne 0 ] then ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log` echo -e "The Let's Encrypt cert has not been renewed! \n \n" \ $ERRORLOG else nginx -s reload fi exit 0
TODO: if you want to make your crontab to work you need to agree by default, add these lines to your my-domain.conf
renew-by-default agree-dev-preview agree-tos
Create /var/log/letsencrypt/ if it doesn’t exist.
And now I get new certs on the first of every month.
To test your cron monthly script you can use (as root):
run-parts -v /etc/cron.monthly
Add or remove addition domains to a certificate
certbot certonly --cert-name drdizzy.com -d drdizzy.com,www.drdizzy.com
IMPORTANT: A DNS entry must exist for the entries so ensure this is added.
Add all sub-domains to a certificate
certbot certonly --cert-name *.sharewiz.net -d sharewiz.net,www.sharewiz.net,wiki.sharewiz.net
IMPORTANT: A DNS entry must exist for the * so ensure this is added.
To Renew manually
letsencrypt certonly --webroot -w /var/www/peterroux.com -d peterroux.com -d www.peterroux.com