The article show how to obtain, manage and update SSL certificate using LetsEncrypt service.
Certbot installation
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get install certbotRegistration
First time registration
sudo certbot register --agree-tos --email <email_address>In case registration information should be updated:
sudo certbot register --update-registration --email <your-email-address>Create LetsEncrypt configuration file:
touch /etc/letsencrypt/cli.iniContents:
max-log-backups = 0
rsa-key-size = 4096
email = <email_address>
agree-tos = True
post-hook = service apache2 reloadp.s.: pay attention that in case of different web server from apache the post-hook parameter should be updated.
Create LetsEncrypt scripts:
touch /etc/letsencrypt/list.shContents:
#!/bin/bash
LE_PATH="/usr/bin"
LE_CB="certbot"
"$LE_PATH/$LE_CB" certificatestouch /etc/letsencrypt/renew.shContents:
#!/bin/bash
LE_PATH="/usr/bin"
LE_CB="certbot"
"$LE_PATH/$LE_CB" renewtouch /etc/letsencrypt/renew-cron.shContents:
#!/bin/bash
LE_PATH="/usr/bin"
LE_CB="certbot"
"$LE_PATH/$LE_CB" renew --no-self-upgrade --noninteractivetouch /etc/letsencrypt/delete.shContents:
#!/bin/bash
LE_PATH="/usr/bin"
LE_CB="certbot"
##
## Retrieve and print a list of the installed Let's Encrypt SSL certificates.
##
function get_certificate_names()
{
"/usr/bin/certbot" certificates | grep -iE "certificate name" | awk -F: '{gsub(/\s+/, "", $2); printf("- %s\n", $2)}'
}
echo "Available Certificates:"
get_certificate_names
echo
read -p "Which certificate do you want to delete: " -r -e answer
if [ -n "" ]; then
"/usr/bin/certbot" delete --cert-name ""
fiCreate script for certain domain to obtain certificate:
touch /etc/letsencrypt/<your_domain_name>.shContents:
#!/bin/bash
# export makes the variable available for all subprocesses
LE_PATH="/usr/bin"
LE_CB="certbot"
# Assumes that example.com www.example.com and subomain.example.com are the domains
# that you want a certificate for
export DOMAINS="-d <domain_name>"
"/usr/bin/certbot" certonly --config /etc/letsencrypt/cli.ini "$DOMAINS" # --dry-run
To obtain new certificate need to invoke the script above. However it is also needed to update web server configuration to give LetsEncrypt opportunity to verify domain existence (for instance, so-called "acne-challenge"). For verification to pass need to create appropriate folders and apache configuration:
mkdir -p /var/www/letsencrypt/.well-known/acme-challengeAdd to apache site configuration:
Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
Options None
AllowOverride None
ForceType text/plain
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Directory>After apache configuration is reloaded you can obtain certificate by executing /etc/letsencrypt/<your_domain_name>.sh script. For certificate renewal need to run /etc/letsencrypt/renew.sh script. For automatic renewal add following entry to crontab:
00 02 * * 6 /etc/letsencrypt/renew-cron.sh > /dev/null 2>&1 &