On the test I will install ACME client Certbot in Ubuntu 16.04 (xenial), which will help to get Free SSL certificates Let’s Encrypt for 90 days and automatically update them.
For other versions of Ubuntu, the Certbot client is installed similarly.
The first step is to add the Certbot repository and perform the installation:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
A package may be named differently in different Linux versions, for example:
apt-cache search certbot
sudo apt install python3-certbot-apache
If nginx is used instead of apache2, then instead of the last command, execute:
sudo apt-get install python-certbot-nginx
Now run Certbot to get an SSL certificate:
sudo certbot --apache
Or:
sudo certbot --nginx
To manually change the configuration of Apache2 and Certbot did not change it, you can run the following command:
sudo certbot --apache certonly
Or:
sudo certbot --nginx certonly
After running the command, you must select the site for which you want to request an SSL certificate.
After receiving the certificate, the following information was displayed:
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-08-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
A separate site configuration file for HTTPS was created, but in that lines that redirected from HTTP to HTTPS were added, the general similar changes as I described in this article – Installing and Configuring Let’s Encrypt SSL.
To update automatically, run the following command:
sudo certbot renew
You can also add a command to Cron for automatic updates, see my article – Using and configuring CRON
Example of adding to Cron (every Monday at 3:15):
sudo crontab -e
15 3 * * 1 certbot renew >> /var/log/certbot-renew.log
Or to /etc/crontab:
15 7 * * 1 root certbot renew >> /var/log/certbot-renew.log
If the certificates are also specified in Postfix and Dovecot, then these services must be restarted in order to load the new certificate, this can be done by adding to the command:
15 7 * * 1 root certbot renew --post-hook "service postfix restart; service dovecot restart" >> /var/log/certbot-renew.log
For a test update, you can run a command (configuration and certificates will not be affected):
sudo certbot renew --dry-run
If the certificate expires and the update is run, nothing will happen.
To update certificates, apache2 should also work on port 80.
To update the version of Certbot itself, run the following commands:
sudo apt update
sudo apt install certbot
If certbot was installed for example with apache2, and then apache2 was uninstalled and installed nginx, then in the files /etc/letsencrypt/renewal/* you need to change the “authenticator” and “installer”.
To delete the certificate and all the data associated with it, use the command (after entering you must select the domain):
sudo certbot delete
Or you can immediately indicate which one to delete:
sudo certbot delete --cert-name ixnfo.com
See also my articles:
- Redirecting requests to SSL
- Configuring HTTPS in Apache
- How to change email after registering Certbot (Let’s Encrypt)
- The problem with multiple SSL on the same IP