First, I need to have the certbot installed. I found the instructions here: https://linuxhostsupport.com/blog/install-lets-encrypt-ssl-certificates-using-certbot/
In a nutshell, I need to run these commands:
|
1 2 3 4 |
sudo apt-get install software-properties-common python-software-properties sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache |
I also need to install the Nginx plugin for the certbot, since my sites are managed by Nginx as a reverse proxy to Apache or to Gunicorn. So, I run this command:
|
1 |
sudo apt-get install certbot python-certbot-nginx |
Installing a New Certificate
To install a Let’s Encrypt certificate for a site managed by Nginx I need to run this command:
|
1 |
sudo certbot --nginx -d svm-demo.singularaspect.com |
Had it been an Apache site (also without an Nginx proxy), the plugin parameter would have been --apache.
Certbot will ask me if I want the non-https traffic to be redirected to https. I give my consent.
Certbot finishes the certificate installation and I need to reload the Nginx server to activate the changes it made to the site configuration. These changes are marked with the managed by certbot comments.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
server { server_name svm-demo.singularaspect.com; location /static { alias /var/sites/svm-demo/master/app/app/static; } location / { proxy_pass http://unix:/tmp/svm-demo.singularaspect.com.socket; proxy_set_header Host $host; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/svm-demo.singularaspect.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/svm-demo.singularaspect.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = svm-demo.singularaspect.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name svm-demo.singularaspect.com; return 404; # managed by Certbot } |
Renewing the Certificates
First, I need to see what certificates I have on the server installed. I run this command:
|
1 |
sudo certbot certificates |
It generates this output:
|
1 2 3 4 5 6 7 8 9 10 11 |
Found the following certs: Certificate Name: words.divisionlab.com Domains: words.divisionlab.com Expiry Date: 2019-11-20 14:48:08+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/words.divisionlab.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/words.divisionlab.com/privkey.pem Certificate Name: www.divisionlab.com Domains: www.divisionlab.com Expiry Date: 2019-11-20 14:45:57+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/www.divisionlab.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/www.divisionlab.com/privkey.pem |
Now, I can run the command to renew them:
|
1 |
sudo certbot certonly --force-renew --cert-name words.divisionlab.com |
This presents me with an authentication option to select:
|
1 2 3 4 5 6 7 |
How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Apache Web Server plugin (apache) 2: Spin up a temporary webserver (standalone) 3: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3 |
I select the third option and provide the file system path when this prompt appears:
|
1 |
Input the webroot for words.divisionlab.com: (Enter 'c' to cancel): |
This allows the certbot to verify the ownership and to update the certificates.
Once this is done, I need to restart the Apache server and reload Nginx to start using the updated certificates.
