First, I need to have the certbot installed. I found the instructions here: https://linuxhostsupport.com/blog/install-lets-encrypt-ssl-certificates-using-certbot/
In a nutshell, I need to run these commands:
sudo apt-get install software-properties-common python-software-properties sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache
I also need to install the Nginx plugin for the certbot, since my sites are managed by Nginx as a reverse proxy to Apache or to Gunicorn. So, I run this command:
sudo apt-get install certbot python-certbot-nginx
Installing a New Certificate
To install a Let’s Encrypt certificate for a site managed by Nginx I need to run this command:
sudo certbot --nginx -d svm-demo.singularaspect.com
Had it been an Apache site (also without an Nginx proxy), the plugin parameter would have been --apache.
Certbot will ask me if I want the non-https traffic to be redirected to https. I give my consent.
Certbot finishes the certificate installation and I need to reload the Nginx server to activate the changes it made to the site configuration. These changes are marked with the managed by certbot comments.
server {
server_name svm-demo.singularaspect.com;
location /static {
alias /var/sites/svm-demo/master/app/app/static;
}
location / {
proxy_pass http://unix:/tmp/svm-demo.singularaspect.com.socket;
proxy_set_header Host $host;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/svm-demo.singularaspect.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/svm-demo.singularaspect.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = svm-demo.singularaspect.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name svm-demo.singularaspect.com;
return 404; # managed by Certbot
}
Renewing the Certificates
First, I need to see what certificates I have on the server installed. I run this command:
sudo certbot certificates
It generates this output:
Found the following certs:
Certificate Name: words.divisionlab.com
Domains: words.divisionlab.com
Expiry Date: 2019-11-20 14:48:08+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/words.divisionlab.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/words.divisionlab.com/privkey.pem
Certificate Name: www.divisionlab.com
Domains: www.divisionlab.com
Expiry Date: 2019-11-20 14:45:57+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.divisionlab.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.divisionlab.com/privkey.pem
Now, I can run the command to renew them:
sudo certbot certonly --force-renew --cert-name words.divisionlab.com
This presents me with an authentication option to select:
How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Apache Web Server plugin (apache) 2: Spin up a temporary webserver (standalone) 3: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
I select the third option and provide the file system path when this prompt appears:
Input the webroot for words.divisionlab.com: (Enter 'c' to cancel):
This allows the certbot to verify the ownership and to update the certificates.
Once this is done, I need to restart the Apache server and reload Nginx to start using the updated certificates.
0 Comments