User Tools

Site Tools


tutorials:letsencrypt-certbot

Let's Encrypt (using certbot)

Let's Encrypt is a free, automated, and open Certificate Authority. It's goal is to get all web pages on the internet, encrypted (using HTTPS/SSL). When web pages are sent via HTTPS, the contents cannot be modified in transit, ensuring that the receiver of the content receives the intended information. There are also other benefits of using HTTPS which you can read about here.

The purpose of this page is to explain how we can get our site HTTPS secured, using let's encrypt and cerbot.

Let's Encrypt vs Cerbot (understanding the difference)

Let's Encrypt is the Certificate Authority (CA). These authorities are basically the custodians for issuing digital certificates, namely to say that the person is who they say they are. You can read more about CA's here

Cerbot is the automated tool used to issue Let's Encrypt certificates.

Setup HTTPS on your web server

Prerequisites

This tutorial assumes the following:

  • Apache Web Server
  • Ubuntu 14
  • You already have an existing website/webpage hosted on Apache.

Certbot

Automated

The automated approach involves going to the offical certbot website, whereby you can find all the infromation you need. The website is: https://certbot.eff.org. From here you will select your web server and your operating system and will be directed to a new page. For our example we would select Apache and Ubuntu 14 which would redirect us to this page https://certbot.eff.org/#ubuntutrusty-apache.

The instructions regarded can be found on the last page linked above.

Manual

The first step is to get cerbot in order to issue the certificates. The information relating to this tutorial comes part from: this Digital Ocean tutorial. If you would like some clarity on instructions you are welcome to see the listed tutorial link

Firstly, we want to navigate to sbin. This will allow us to execute the certbot application from the console regardless of where we are.

cd /usr/local/sbin

Once we're here, we can now download the certbot application:

sudo wget https://dl.eff.org/certbot-auto

We need to make this application executable by running the following:

sudo chmod a+x /usr/local/sbin/certbot-auto

Create certificate

Now that we've got certbot, we can ask it to create us the required certificates for our website or even multiple websites (provided that they are on the same domain i.e. subdomains).

For any single domain you can simply run the following command:

certbot-auto --apache -d example.com -d www.example.com

:!: Please note that this domains need to be set up and resolvable from a public facing computer. Certbot queries the provided URI's with this command. :!:

Replace example.com with your actual domain name and/or subdomains that you would like to include in the certificate.

Once you run this command, certbot will take you through a series of questions that you will need to answer regarding your site. Select what you deem appropriate for your site/s.

After you have completed all the questions you will notice that some new apache configs have been added to

/etc/apache/sites-available

You can now test your certificate by navigating to your website via HTTPS (e.g. https://example.com). In addition to this check you can also navigate to this URL:

https://www.ssllabs.com/ssltest/analyze.html?d=**example.com**&latest

Where you would replace example.com with your actual domain.

Automatically renew your SSL certificates

After the setup of your certificates with certbot you may have noticed that the certificate only lasts 90 days. This section covers how to set up an auto-renew your certificates so that you have uninterrupted ssl connectivity to your site.

The command used to renew certificates with certbot is as follows:

certbot-auto renew

You can run this manually at any time if you wish to renew it, however, we would like to automate this process so that we don't have to worry about our certificates expiring and presenting a error to the users of our site.

To do this automated process we will be setting up a cron job.

Let's open the crontab for editing by running:

sudo crontab -e

Navigate to the bottom of the file and add the following:

30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log

Save and exit the file and job done. You will now receive automated renewals for your SSL certificates.

Expanding your domains on the certificate

Let's say that you've now got your certificates but some time passes and you add a new subdomain to your web server. We now need to extend our certificate to include our new subdomain. To do this we run the following:

certbot-auto certonly --expand -d example.com,www.example.com,new.example.com

:!: Note that the first domain provided must be the first domain that you provided when registering the domain with certbot. :!:

Once again, certbot will ask you a series of questions, answer them as whatever is appropriate for your site/s.

You will notice that once this is completed, that your new subdomain does not have a new ssl counterpart created for it in

/etc/apache/sites-available

You will need to create this yourself. In order to do this, simply follow the conventions used in the existing le sites (le is let's encrypt). You should see your existing sites have an le counterpart in the above mentioned folder.


external source for expanding the certificates

tutorials/letsencrypt-certbot.txt · Last modified: 2017/04/05 12:34 by admin