Using Certbot to sign/renew the Let’s Encrypt certificate

By | May 26, 2017

早前寫了一篇 knowledge transfer 文章,講解如何從 Let’s Encrypt 簽 TLS cert,現在同大家分享一下。

Certbot is an official tool to renew/sign the cert issued from Let’s Encrypt.

Installation of certbot was painful in the old days, so in the first release, I use its official Docker image to do the job.

docker run -it --rm -p 443:443 -p 80:80 \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
quay.io/letsencrypt/letsencrypt:latest certonly

Then, you can find the cert and key in /etc/letsencrypt/live/<domain, e.g. carlos.aboutmy.info>/

The drawback of this is, you have to stop NGINX during the signing. But days have changed, certbot-auto provides a fairly easy way to do the same thing.

One big advantages of using certbot-auto instead of Docker is that, you did not need to stop NGINX.

1. Download certbot-auto
$ curl -OL https://dl.eff.org/certbot-auto
$ chmod +x ./certbot-auto
$ sudo mv ./certbot-auto /usr/local/bin/

2. Use certbot-auto to install certbot
Certbot requires Python and Python virtualenv, gcc and some devel packages

For RHEL/CentOS/Oracle Linux:
$ sudo yum install python-virtualenv python-pip libffi-devel openssl-devel gcc

For Debian/Ubuntu:
sudo apt-get install python-virtualenv python-pip libffi-dev libssl-dev gcc

$ certbot-auto --no-bootstrap
`–no-bootstrap` means not to install system package automatically, it’s used to keep system as clean as possible.

3. Use certbot to sign cert
$ certbot-auto --nginx certonly

It will read the NGINX config, and list out the domain you have for selection.

If passed the challenge and verification, the cert and key will be saved to
/etc/letsencrypt/live/<domain, e.g. carlos.aboutmy.info>/

The file inside that directory are symbolic links only, which will point to
/etc/letsencrypt/archive/<domain, e.g. carlos.aboutmy.info>/ and the file are named with numbers (e.g. xxx1.pem) for old backups.

So, in NGINX conf, you just make use the cert and key files in the /etc/letsencrypt/live/, it will auto link to the lastest cert and key.

4. Test and Reload NGINX config
$ sudo nginx -t
$ sudo nginx -s reload

5. Use certbot to renew cert
$ certbot-auto --nginx renew

6. Auto renewal
Run certbot-auto --nginx renew every 60 days as recommended by Let’s Encrypt since the cert will expiry every 90 days.

$ crontab -e
0 4 1 1,3,5,7,9,11 * /usr/local/bin/certbot-auto --nginx renew > /dev/null 2>&1

Remark:
If you are using CloudFlare, you have to replace --nginx with --webroot --webroot-path "%web root path%".