The default certbot certonly –standalone is quite useful for a quick start to run a standalone server and get the SSL certificate. But nowadays everyone is running their own server. Which would cause the issue of binding port 80 fail. In order to fix this would be using –webroot instead.
Firstly, create a new folder for nginx to serve static file
mkdir -p /var/www/letsencrypt/.well-known/acme-challenge
Secondly, in each server config that you want to have SSL add the followings, E.g. inside abcd.com.conf into the server listen 80 block.
location ^~ /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
It tells nginx when matching path /.well-known/acme-challenge/, go to /var/www/letsencrypt/.well-known/acme-challenge/ to find the file.
Thirdly, run nginx reload
and
certbot certonly --webroot --webroot-path /var/www/letsencrypt/ --agree-tos -m [email protected] -d yourdomain
Letsencrypt will put a text file inside /var/www/letsencrypt/.well-known/acme-challenge and fire a get request to achieve it in order to finish the justification. You can tail the nginx log to see the requests to debug.
Fourthly, you add the listen 443 block into your domain’s nginx config file
listen 443;
server_name asdf.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/asdf.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/asdf.com/privkey.pem;
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECD;
Lastly, create a cron job task file asdf.com.renew in /etc/cron.d/
@monthly root /bin/bash -c "/usr/bin/letsencrypt certonly --webroot -w /var/www/letsencrypt -d asdf.com"
Hope that helps!
Auto-renewing Let’s Encrypt SSL certificate
Let’s Encrypt’s certificates are valid for 90 days. To automatically renew the certificates before they expire, the certbot package creates a cronjob and a systemd timer. The timer will automatically renew the certificates 30 days before its expiration.
When the certificate is renewed, the nginx service needs to be reloaded. Open the /etc/letsencrypt/cli.ini
and add the following line:
sudo nano /etc/letsencrypt/cli.ini
deploy-hook = systemctl reload nginx
To test the renewal process, run the certbot --dry-run
command:
sudo certbot renew --dry-run
If there are no errors, it means that the renewal process was successful.
Now, Let’s Encrypt’s certificates are valid for 90 days… You’ll want to setup a crob job to automate the renewal process… To do that, open crontab and add the entry below:
sudo crontab -e
Then add the line below and save…
0 1 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/renew.log
Save and you’re done!
How to update certbot to latest version on Ubuntu
Lets Encrypt has announced that, “Beginning June 1, 2020, we will stop allowing new domains to validate using the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before then, or certificate issuance will fail. For most people, simply upgrading to the latest version of your existing client will suffice. You can view the client list at: https://letsencrypt.org/docs/client-options/ “
This article explains how to update certbot to latest version (0.31 at the time of writing this) on Ubuntu 16.04LTS.
If you are on non LTS version such as 17.10 these steps will not work. You have to either update your OS or find another client that complies.
My test machine is Ubuntu 16.04 LTS and runs Apache with certbot 0.21. You can check OS and certbot by following commands.
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial $ certbot --version certbot 0.21.0
Now we need a higher version certbot that supports ACMEv2. Certbot can be updated as follows:
-
Step 1) Run apt-get update
$ sudo apt-get update Hit:1 http://europe-west1.gce.archive.ubuntu.com/ubuntu xenial InRelease --------------------------------------------- Fetched 349 kB in 0s (593 kB/s) Reading package lists... Done
-
Step 2) Upgrade latest version of certbot
$ sudo apt-get install --only-upgrade certbot This will upgrade only certbot package, and only if it is installed $ sudo apt-get install --only-upgrade certbot Reading package lists... Done Building dependency tree Reading state information... Done .......................................................................... Setting up python-certbot-apache (0.31.0-1+ubuntu16.04.1+certbot+1) ... Setting up python3-icu (1.9.2-2build1) ...
-
Step 3) Verify new Certbot Version
$ certbot --version certbot 0.31.0 As you can see we are now at 0.31 whicch supports ACMEv2. However we need to do a trail run to verify that it is able to use ACMEv2
-
Step 4) Do a Dry Run
$ sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log ......................................................... Cleaning up challenges
-
Step 5) Double check debug log to verify ACME server. You need to be logged in as root user to view letsencrypt logs.
$ sudo su - # cd /var/log/letsencrypt/ #sudo vi letsencrypt.log
If you search for “v02”, you will be able to see entries for https://acme-staging-v02.api.letsencrypt.org/directory
DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Note that if you see only acme-staging-v01 then this means that the update has not worked as expected. If the update is successful, you will see requests to https://acme-staging-v02.api.letsencrypt.org/directory
Sometimes certbot upgrade may fail as below:
$ sudo apt-get install --only-upgrade certbot Reading package lists... Done Building dependency tree Reading state information... Done You might want to run 'apt-get -f install' to correct these:
If this happens you just need to run the following command.
$ sudo apt-get -f install
automatic renew
go to crontab:
crontab -e
then add the next:
#auto renew ssl 0 1 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/renew.log
or0 1 * * * /usr/bin/certbot renew --renew-hook "nginx -s reload" -q >> /var/log/letsencrypt/renew.log
or add setting into letsencrypt file: /etc/letsencrypt/cli.ini
deploy-hook = systemctl reload nginx
Remove ssl from letsencrypt
sudo rm -rf /etc/letsencrypt/{live,renewal,archive}/{youdomain.com,yourdomain.com.conf}
issue: new certbot require python 3
First of all, you have to upgrade python to version 3: apt update && apt install --only-upgrade python3-acme
If you have multiple version of python in your system. You just need to update the symbolic link of python inside /usr/bin/
root@irshad:/usr/bin# ls -lrth python*
lrwxrwxrwx 1 root root 9 Apr 16 2018 python -> python2.7
-rwxr-xr-x 1 root root 3.6M Nov 12 2018 python2.7
-rwxr-xr-x 2 root root 4.4M May 7 14:58 python3.6
In above example if you see the output of python --version
you will get python2.7
Now update the python symlink using below command-
root@irshad:/usr/bin# unlink python
root@irshad:/usr/bin# ln -s /usr/bin/python3.6 python
root@irshad:/usr/bin# python --version
Python 3.6.8
finally, for renewal, just run:
certbot certonly --webroot --webroot-path /var/www/letsencrypt/ --agree-tos -m [email protected] -d yourdomain.com