Certbot sets up a free Lets Encrypt certificate for your website. The following instructions are for Certbot which is the tool supplied by the EFF (the creators of Lets Encrypt) to help with setup. These notes are for a simple single site with defaults.
Ensure your server has a DNS record exists for the domain name(s) you will be using.
NB LetsEncrypt do not support wildcard certificates, but given it's no additional cost (and easy) to generate certs for different domains, or a cert will multiple domain names attached, wildcards are not a big issue.
Retrieve the certbot-auto script, make it executable, copy it somewhere in the default path and execute it:
- apt-get -y install python-pip
- wget https://dl.eff.org/certbot-auto
- chmod a+x certbot-auto
- cp certbot-auto /usr/bin/
- #Create an certificate for all domains
- certbot-auto --apache
- #Create an certificate for a specific domain
- certbot-auto --apache --cert-name example.com -d 1.example.com,2.example.com
Follow the prompts displayed, making sure you enter the domain name(s) correctly. Given the current environment when asked about whether you want to have HTTP available it's recommended to take the "secure" option (HTTPS only).
If the certificate generates successfully, next configure auto-renew. Test this first by running
- certbot-auto renew --dry-run
and if successful add auto-renew to cron.daily
- sudo vim /etc/cron.daily/autorenew
- ##script to run Lets Encrypt certificate renewal check/update tool
- certbot-auto renew --quiet --no-self-upgrade
and make it executable
- sudo chmod +x /etc/cron.daily/autorenew
You should occasionally run certbot-auto manually to let it upgrade, but the auto command will keep certificates updated in between.
Revoking a certificate
- certbot-auto revoke --cert-path /etc/letsencrypt/live/<cert-name>/cert.pem
Ubuntu upgrade between major versions
Note: When doing a major version upgrade, e.g. 16.04 to 18.04, directory /etc/letsencrypt gets deleted and certbot will be broken. So before starting the upgrade make a copy of /etc/letsencrypt in another directory.
- cp -R /etc/letsencrypt ~/
After the upgrade, copy letsencrypt folder back to /etc/letsencrypt and reinstall certbot
- cp -R ~/letsencrypt /etc/
- mv /opt/eff.org/certbot /opt/eff.org/certbot-old
- certbot-auto certificates
Last command will trigger the certbot to be reinstalled and will list the available certificates, allowing you to check the all previous certificates are being recognized. You should also check that renewal works with the dry-run command provided above.
Certbot is packaged for 16.04, so apt-get the following package:
- $ sudo apt-get install python-letsencrypt-apache
It also has an Apache plugin that automates obtaining and installing certificates:
- letsencrypt --apache
You can also add domains manually, useful for adding aliases to a single certificate e.g. example.com & www.example.com
- letsencrypt --apache --domains example.com,www.example.com
- letsencrypt renew --dry-run --agree-tos
There's a bug in the version of Certbot on Ubuntu Xenial which may show a warning saying 'Registering without email!' even if you have previously given an email to Certbot. Don't worry if this happens, it will not effect your renewal. If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:
- letsencrypt renew
Errors might appear
- Traceback (most recent call last):
- File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
- File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
- File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
- File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
- call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
- File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
- % (cmd_desc, proc.returncode))
- OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1
- export LC_ALL=C