LetEncrypt Certbot on Ubuntu Xenial Xerus
LetsEncrypt, SSL
LetsEncrypt is a free, open and automated certificate authority that operates for public benefit. It is a project of the non-profit Internet Security Research Group (ISRG).
This guide refers to installing and configuring LetsEncrypt and it’s client, Certbot, on Ubuntu 16.04 Xenial Xerus.
Certbot: the LetsEncrypt Client
Certbot is a client that allows you to fetch and configure SSL/TLS certificates. It also updates virtual host directives to ensure that site resources redirect to HTTPS.
Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.
Install Certbot
See up-to date instructions here.
Set Up Certs - Specific Domains
If you have pre-existing certs, this may be a good solution:
This command sets up certificates and creates appropriate virtual host directives that reference the certificates.
Set Up Certs - Interactive Session
You could run sudo certbot --apache
instead - this will open an interactive session that will prompt you for various options. If upgrading from a previous version of the LetsEncrypt client, this is probably the best option:
The new vhost directives will be created in the /etc/apache2/sites-available
directory in the format example.com-le-ssl.conf
. The vhost configs will be automatically enabled, and a redirect will be written into the corresponding directive for port 80 (the non-HTTP original vhost directive).
Renew Certs
Check Renew
Test that the renew process will work by performing a dry-run:
Automatic Renewal: Cronjob
Certificates have a three-month lifespan, so automatic renewal is recommended.
LetsEncrypt/Certbot sets up a cronjob. This is located at /etc/cron.d/certbot
. It looks like this:
The script first checks that /usr/bin/certbot
exists and is executable, and that systemd is NOT present before running renew on a random minute of the hour.
The cronjob:
- Runs every twelve hours
- Tests that
/usr/bin/certbot
exists and is executable (i.e. certbot is installed) - ALSO (
-a
) tests that the directory/run/systemd/system
does NOT exist (i.e. systemd is not present on the system) - If the previous two conditions are satisfied, pauses for a random number of seconds < 3600
- When the sleep period has elapsed,
certbot renew
runs in quiet mode
Ubuntu 16.04? Your Cronjob Does Nothing!
The test command in the cronjob under /etc/cron.d/certbot
stops execution if systemd is present - which in the case of Ubuntu, it is.
In this case, the timing of renewals is controlled in /lib/systemd/system/certbot.timer
. Note that the execution of this is controlled in /etc/systemd/system/timers.target.wants
, which contains a symlink to /lib/systemd/system/certbot.timer
.
The /lib/systemd/system/certbot.timer
file looks like this:
This timer runs the service /lib/systemd/system/certbot.service
, which looks like this:
Note that by default, a service is activated with the same name (excluding suffix) as the timer - so certbot-timer
activates certbot-service
.
Support LetsEncrypt
You can support LetsEncrypt and Certbot by donating here.
References
comments powered by Disqus