Configuring Automatic LetsEncrypt SSL Certificate Renewal

What is LetsEncrypt and SSL?

LetsEncrypt is a free, automated, and open Certificate Authority (CA) operated by the Internet Security Research Group (ISRG). It was founded to make the internet more secure by making it easier and simpler to obtain and manage SSL/TLS certificates required for website encryption. LetsEncrypt offers an easy way to get SSL certificates for websites without incurring costs or complicated administrative tasks.

SSL (Secure Sockets Layer) is a security protocol that prevents unauthorized persons from intercepting or changing data transmitted between two computers over the internet. SSL is frequently used for secure communications between web browsers and web servers. Websites that use SSL/TLS certificates are displayed with HTTPS instead of HTTP and have a visible padlock icon in the browser.

In summary, LetsEncrypt offers an easy way to obtain SSL certificates, while SSL/TLS ensures the security and confidentiality of data exchanged between computers on the internet.

How do I install LetsEncrypt?

sudo apt-get install software-properties-common

To set up LetsEncrypt, we need to add its software repository.

sudo apt-get update

Then we update our system to use it.

sudo apt-get install certbot

Next, we install the latest version of Certbot.

sudo apt-get install python-certbot-nginx

Finally, we add the Nginx plugin for Certbot.

sudo apt-get install python-certbot-apache

We also need to set up the Apache plugin for Certbot.

The last step is crucial for the correct setup of SSL certificates and their automatic renewal. With the certbot command, we can now generate and renew SSL certificates at any time. Next, we examine how to set up automatic renewal on Nginx and Apache-based servers.

Nginx

The generation of certificates on a server running Nginx is based on the server block setup. It is advisable to back up the server block before proceeding, as Certbot may change its content.

sudo certbot --nginx

Let's start the Certbot Nginx assistant to generate the certificates. When we run certbot for the first time, we will be prompted to enter an email address for urgent renewals and security advisories. You will then be prompted to accept the terms and conditions. Finally, we will receive a list of all available sites detected based on their server block entries.

We must select all domains that we want to include in the SSL certificate we generate. We can add more domain names by separating the site numbers with commas. Here, our first domain is the domain beispiel.de. Next, we can force redirects to the secure HTTPS URL. To test if it works, we try opening our domain name with the prefix https://. All newly generated SSL certificates are only valid for 90 days before they expire. To renew the certificate manually, we run this command.

sudo certbot renew --nginx

This command will take us to a dialogue with some steps for the renewal process. LetsEncrypt only allows the renewal of certificates that occur within 30 days of expiration. Finally, we set up the automatic renewal feature to avoid having to log in to the server to update it manually. The automatic renewal feature is executed by a Cron job. When installing Certbot, a Cron file is automatically added, which we can find in the /etc/cron.d/certbot directory. If it is not available, we have to create it. Let's open the Cron file with a text editor like Nano and then add this content.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root certbot -q renew --nginx

This automatically runs the automatic renewal process twice a day. We use the -q flag to suppress the output of logs.

Apache

On servers running Apache, the generation of certificates is based on the vHosts setup. It is advisable to back up the vHosts block before proceeding, as Certbot may change its content.

sudo certbot --apache

Let's start the Certbot Apache assistant to generate the certificates.

We will receive a dialogue with steps you need to follow to generate an SSL certificate based on the domains recognized in the vHost blocks. Here we can select one or more domain names to be included in the SSL certificate. We can add multiple domain names by separating the individual domain numbers with a comma. Here, our first domain is the domain beispiel.de. In addition, we can choose whether redirects to the secure HTTPS URL should be enforced.

sudo certbot renew --apache

To manually renew the certificates, we run this command. We will receive a dialogue with steps that will guide us through the renewal process. Renewal of certificates only takes place if it occurs within 30 days of the expiration date.

A Cron job manages the automatic SSL renewal feature. When installing Certbot, a Cron file is automatically added, which we can find in the /etc/cron.d/certbot directory. If it is not available, we have to create it.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root certbot -q renew --apache

Let's fill the Cron file with this content. The automatic renewal process runs automatically twice a day. We use the -q flag to suppress the output of logs.

Conclusion: Protect Your Website and Visitors with LetsEncrypt SSL Certificates

Secure websites are essential for success on the internet, and LetsEncrypt makes it easier than ever to obtain and manage SSL certificates. With our simple step-by-step guide, you can set up your own SSL certificate for your website and increase the security of your online presence.

Keep in mind that automatic renewals of LetsEncrypt certificates must be renewed every 90 days to maintain their validity. It is important to ensure that this process works smoothly to avoid interrupted encryption and associated security risks.

Protect your website and your visitors by taking advantage of an SSL certificate from LetsEncrypt. The LetsEncrypt Certificate Authority offers a free, easy-to-use, and reliable way to increase the security of your website. Use this resource and protect your online business and your users.