Daily Archives: May 6, 2018

Adding lets encrypt certbot to your site

For fun today I installed certbot, formally known as Let’s Encrypt, on one of my personal projects in order to get a free SSL cert for the site. It was pretty straight forward and worked very well! Below are notes and tips that may help your install.

My server is running Debian Linux with an nginx web server.

  1. Go to https://certbot.eff.org/ and enter your flavor of linux and type of server. If you’re unsure what distro/flavor of linux you have, type this on the command line “cat /etc/issue” .
  2. For my combination, the fully automated solution was not available. Their automated solution will prompt you for which sites on your server you want to install the certificate for, and then it will edit your nginx conf files for each site so the certificate is used. I haven’t tried this myself, but automated things like this make me weary, so I probably would have done the manual install anyway.

  3. The next step was to follow the instructions on the following page as the root user https://certbot.eff.org/lets-encrypt/debianjessie-nginx. I won’t go through them in detail as it really is just following their instructions and commands provided. I did add the Jessie backports as described here https://backports.debian.org/Instructions/. I used the webroot install approach.
  4. I initially had some trouble because one of my sites is using the Yii framework and I didn’t point the certbot certonly command at the webroot, but instead at the code root of the framework. The process will create a .well-known directory and it must be within the webroot so it can be authenticated. The .well-known directory will be empty and it’s OK to have it owned by the root user and group. A successful run of the certbot certonly command will result in a message like “Congratulations! Your certificate and chain have been saved…”
  5. The next thing is to configure your nginx conf file to use the new cert. Also don’t forget to change your conf file to listen to port 443 instead of port 80.
    server {
    	listen 443;
    	ssl on;
    	server_name example.com;
    	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    Then restart nginx. You may also need to make application changes so the site uses an HTTPS domain depending on the framework or type of application you have.

  6. Last thing to know is the certbot certonly command will create a cron job for you at /etc/cron.d/certbot with the below contents that tries to auto renew twice per day
    0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew