Step 1 — Installing Certbot
First, add the repository:
sudo add-apt-repository ppa:certbot/certbot
You’ll need to press ENTER
to accept.
Install Certbot’s Nginx package with apt
:
sudo apt install python-certbot-nginx
Certbot is now ready to use, but in order for it to configure SSL for Nginx, we need to verify some of Nginx’s configuration.
Step 2 — Confirming Nginx’s Configuration
Certbot needs to be able to find the correct server
block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name
directive that matches the domain you request a certificate for.
If you followed the server block set up step in the Nginx installation tutorial, you should have a server block for your domain at /etc/nginx/sites-available/example.com
with the server_name
directive already set appropriately.
To check, open the server block file for your domain using nano
or your favorite text editor:
sudo nano /etc/nginx/sites-available/example.com
Find the existing server_name
line. It should look like this:
...
server_name example.com www.example.com;
...
If it does, exit your editor and move on to the next step.
If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:
sudo nginx -t
If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:
sudo systemctl reload nginx
Certbot can now find the correct server
block and update it.
Next, let’s update the firewall to allow HTTPS traffic.
Step 3 — Allowing HTTPS Through the Firewall
sudo ufw status
To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
Step 4 — Obtaining an SSL Certificate
sudo certbot --nginx -d example.com -d www.example.com
Managing certificates
To view a list of the certificates Certbot knows about, run the certificates
subcommand:
certbot certificates
This returns information in the following format:
Found the following certs:
Certificate Name: example.com
Domains: example.com, www.example.com
Expiry Date: 2017-02-19 19:53:00+00:00 (VALID: 30 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
Certificate Name
shows the name of the certificate. Pass this name using the --cert-name
flag to specify a particular certificate for the run
, certonly
, certificates
, renew
, and delete
commands. Example:
certbot certonly --cert-name example.com
source: https://certbot.eff.org/docs/using.html?highlight=renew#renewing-certificates
Step 5 — Verifying Certbot Auto-Renewal
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot
package we installed takes care of this for us by adding a renew script to /etc/cron.d
. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.
To test the renewal process, you can do a dry run with certbot
:
sudo certbot renew --dry-run
If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Nginx to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.