Enable HTTPS on your website with Let’s Encrypt
Let’s Encrypt
Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open
Enable HTTPS Automatically
Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.
To install just do
mkdir /usr/local/bin/ || exit
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
If you would like to generate specific certificates, use the certonly command.
certbot-auto --agree-tos --email admin@example.com --apache certonly -n -d example.com -d example.org
Add your new certificate to Apache
In Apache if you need to specify the chain file, otherwise clients will complain about certificate hierarchy in some browsers and Operating Systems.
vi /etc/apache2/sites-enabled/000-defaul-ssl
SSLCertificateFile /etc/letsencrypt/archive/example.com/cert1.pem
SSLCertificateKeyFile /etc/letsencrypt/archive/example.com/privkey1.pem
SSLCertificateChainFile /etc/letsencrypt/archive/example.com/chain1.pem
Or add the new certificate to nginx
vi /etc/nginx/nginx.conf
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
Automating renewal
Let’s Encrypt certificates last for 90 days, so it’s highly advisable to renew them automatically!
We can use pre-hook and post-hook to stop services before renewing the certificates and after, in this case i use apache2 but can be nginx. Let’s test automatic renewal for our certificates by running this command:
certbot-auto renew \
--dry-run \
--force-renew \
--standalone \
--noninteractive \
--pre-hook "service apache2 stop" \
--post-hook "service apache2 start"
And finally add a line to cron, auto-renew-certs.sh it’s the previous command in a script.
# Let's Encrypt
0 3 1 * * root /usr/local/bin/auto-renew-certs.sh | mail -e -s "[Let's Encrypt] monthly renew certs" admin@example.com
Some usefull links
https://certbot.eff.org/ https://certbot.eff.org/#ubuntuother-apache https://certbot.eff.org/docs/using.html#renewal https://certbot.eff.org/docs/using.html#renewing-certificates