Skip to content

Letsencrypt

Installing Letsencrypt

Letsencrypt provides the certbot library to manage its SSL certficates

Package Manager

Letsencrypt might be available in your server's package manager. If so this is the easiest means of installing it

Download the binary

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Git clone

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Installing an SSL Certificate

certbot-auto certonly --standalone -d www.edmondscommerce.co.uk -d edmondscommerce.co.uk

Certbot will try to temprarily set up a web server to authenticate itself. If this isn't possible because the port is in use, you can use an existing web root:

certbot-auto certonly --webroot --webroot-path=/path/to/web/root/

The certificates are installed in /etc/letsencrypt/ thusly:

root@localhost tree /etc/letsencrypt/live/edmondscommerce.co.uk/
/etc/letsencrypt/live/edmondscommerce.co.uk/
├── cert.pem -> ../../archive/edmondscommerce.co.uk/cert10.pem
├── chain.pem -> ../../archive/edmondscommerce.co.uk/chain10.pem
├── fullchain.pem -> ../../archive/edmondscommerce.co.uk/fullchain10.pem
└── privkey.pem -> ../../archive/edmondscommerce.co.uk/privkey10.pem

You can then use these in your web server config:

    ssl_certificate /etc/letsencrypt/live/edmondscommerce.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/edmondscommerce.co.uk/privkey.pem;

Auto Renewal

Create a letsencrypt-renew.bash file:

#!/usr/bin/env bash
readonly DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )";
cd $DIR;
set -e
set -u
set -o pipefail
standardIFS="$IFS"
IFS=$'\n\t'
echo "
===========================================
$(hostname) $0 $@
===========================================
"
/root/letsencrypt/certbot-auto renew && systemctl reload nginx

And run it from cron:

0 0 1 * * /var/www/vhosts/edmondscommerce.co.uk.git/shellscripts/updateLetsEncrypt.bash > /tmp/renew.log

Using Certbot

Auto renewing on Centos

To auto renew we should use the the systemd timer.

To start and enable the timer systemctl start certbot-renew.timer and systemctl enable certbot-renew.timer.

To list all the timers use systemctl list-timers, you should see certbot-renew.timer in the list.