Skip to main content

Certbot

320 words·2 mins·
Certbot Nginx
Table of Contents

What
#

Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.

Why
#

Although it is not a hard requirement in localhost/lab environments, for production environments is a must. Besides, it is always a good idea to centralize certificates at your entry point: in our case nginx reverse proxy.

How
#

Install certbot on your server

sudo pacman -S certbot certbot-nginx

use your package manager to download certbot

Generate a certificate:

sudo certbot certonly --nginx

The following message will be displayed:

!IMPORTANT INFORMATION ABOUT CERTBOT CERTIFICATES MAINTENANCE

  • Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live//fullchain.pem Your key file has been saved at: /etc/letsencrypt/live//privkey.pem Your cert will expire on 2020-07-08. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the “certonly” option. To non-interactively renew all of your certificates, run “certbot renew”
  • Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.

Configure nginx (/etc/nginx/nginx.conf):


server {
  ...
  server_name <servername>
    
  ssl_certificate /etc/letsencrypt/live/<servername>/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/<servername>/privkey.pem;

  # ssl_session_cache shared:SSL:1m;
  # ssl_session_timeout 5m;
  # ssl_ciphers HIGH:!aNULL:!MD5;
  # ssl_prefer_server_ciphers on;

  ...
}

Configure automatic certificate renewal:

Use systemd/Timers

  1. Create the timer: /etc/systemd/system/certbot-renewal.timer

The following will run the timer once every 3 months, or as soon as possible after execution target time (Persistent=true)

/etc/systemd/system/certbot-renewal.timer

[Unit]
Description=Renew certbot (letsencrypt) certificates

[Timer]
OnCalendar=*-01,04,07,10-01 12:00:00
# every day at 4am
# OnCalendar=*-*-* 4:00:00
Persistent=true

[Install]
WantedBy=timers.target
  1. Create the service:

/etc/systemd/system/certbot-renewal.service

[Unit]
Description=Renew certbot (letsencrypt) certificates

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew
  1. Enable and start the timer
sudo systemctl start certbot-renewal.timer
sudo systemctl enable certbot-renewal.timer

check your timer is ready for execution

sudo systemctl list-timers

Now, the certificates will be automatically renewed every three months.