Setting Up an SSL Certificate With Certbot

Vince IarusciDevOps, LearningLeave a Comment

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.

Webserver

To enable HTTPS on your website, you’ll need to lookup what webserver and OS you’re running on your server.

To lookup the server version, run the following command:

root@server:~# cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Install

To get the instructions on installing the HTTPS certificates, go to the Certbot site (https://certbot.eff.org/) and select the web server and OS for the required certificate.  In our case, we are using the Apache web server on the Debian OS.

Download Certbot

Run the following command on your server to download an up-to-date copy of the Cerbot software:

root@server:~# wget https://dl.eff.org/certbot-auto
root@server:~# chmod a+x certbot-auto

Auto Install of Certificate with Apache Configuration

Certbot has an Apache plugin and automates certificate installation. Running this command will get a certificate for you and have Certbot edit your Apache configuration automatically to serve it.  Use this approach if you are doing a fresh install on a new server with one domain.

root@server:~# sudo ./path/to/certbot-auto --apache

Follow the instructions on the screen.  Enter the domain names for your site as follows:

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): 
www.yoursite.com, yoursite.com

Auto Install of Certificate Only (Manual Apache Configuration Needed)

Install the Certificate

Running this command will get a certificate for you but will not configure Apache. When using the certonly option, a manual configuration of Apache for each of the website domains is needed.   An example would be if you are installing new websites on a server that already has other websites with ssl certificates installed.

root@server:~# sudo ./path/to/certbot-auto --apache certonly

Follow the instructions on the screen.  Enter the info as follows when prompted for the domain names:

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): 
www.yoursite.com, yoursite.com
Configure Apache

Download a copy of the yoursite-ssl.conf file here and open it with a text editor.  Replace all instances of <yousite> with the name of your site domain.

The conf file for yoursite then needs to be added to the following locations:

etc/apache2/sites-available
etc/apache2/sites-enabled

Use the scp command or an ftp client like Filezilla to upload the conf file to the locations

Automating the Certificate Renewal

Certbot can be configured to renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature.

Create a new folder for the cert renewal script.

root@server:~#: cd /srv 
root@server:~#: mkdir cert_renewal

Add the following code to a new file and save it as cert_renewal.sh.  Save it into the /srv/cert_renewal folder on the server.

#!/bin/bash
# Runs the renewal check for the Certbot Let's Encrypt ssl certs
cd /srv/cert_renewal
./certbot-auto renew 

Configure the Cron Task

root@server:~# crontab -e

Configure the file so that it looks like the following…

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
# run Certbot Renewal (Run daily at 2:00am)
*  2  *  *  *  /srv/cert_renewal/cert_renewal.sh

The cron entry image above shows that the schedule for the cert_renewal.sh runs each  day at 2:00am

Additional documentation – Configuring Cron Tasks

Let’s Encrypt Logs

You will find the log that shows the renewal events in the /var/log/letsencrypt location.  Here is a screenshot…

Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *