Letsencrypt

Installing Letsencrypt

Letsencrypt provides the certbot library to manage its SSL certficates

Package Manager

Letsencrypt might be available in your server's package manager. If so this is the easiest means of installing it

Download the binary

1
2
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Git clone

1
2
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Installing an SSL Certificate

1
certbot-auto certonly --standalone -d www.edmondscommerce.co.uk -d edmondscommerce.co.uk

Certbot will try to temprarily set up a web server to authenticate itself. If this isn't possible because the port is in use, you can use an existing web root:

1
certbot-auto certonly --webroot --webroot-path=/path/to/web/root/

The certificates are installed in /etc/letsencrypt/ thusly:

1
2
3
4
5
6
root@localhost tree /etc/letsencrypt/live/edmondscommerce.co.uk/
/etc/letsencrypt/live/edmondscommerce.co.uk/
├── cert.pem -> ../../archive/edmondscommerce.co.uk/cert10.pem
├── chain.pem -> ../../archive/edmondscommerce.co.uk/chain10.pem
├── fullchain.pem -> ../../archive/edmondscommerce.co.uk/fullchain10.pem
└── privkey.pem -> ../../archive/edmondscommerce.co.uk/privkey10.pem

You can then use these in your web server config:

1
2
    ssl_certificate /etc/letsencrypt/live/edmondscommerce.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/edmondscommerce.co.uk/privkey.pem;

Auto Renewal

Create a letsencrypt-renew.bash file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
#!/usr/bin/env bash
readonly DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )";
cd $DIR;
set -e
set -u
set -o pipefail
standardIFS="$IFS"
IFS=$'\n\t'
echo "
===========================================
$(hostname) $0 $@
===========================================
"
/root/letsencrypt/certbot-auto renew && systemctl reload nginx

And run it from cron:

1
0 0 1 * * /var/www/vhosts/edmondscommerce.co.uk.git/shellscripts/updateLetsEncrypt.bash > /tmp/renew.log