First, I need to have the certbot installed. I found the instructions here: https://linuxhostsupport.com/blog/install-lets-encrypt-ssl-certificates-using-certbot/

In a nutshell, I need to run these commands:

sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache

I also need to install the Nginx plugin for the certbot, since my sites are managed by Nginx as a reverse proxy to Apache or to Gunicorn. So, I run this command:

sudo apt-get install certbot python-certbot-nginx

Installing a New Certificate

To install a Let’s Encrypt certificate for a site managed by Nginx I need to run this command:

sudo certbot --nginx -d svm-demo.singularaspect.com

Had it been an Apache site (also without an Nginx proxy), the plugin parameter would have been --apache.

Certbot will ask me if I want the non-https traffic to be redirected to https. I give my consent.

Certbot finishes the certificate installation and I need to reload the Nginx server to activate the changes it made to the site configuration. These changes are marked with the managed by certbot comments.

server {
    server_name svm-demo.singularaspect.com;

    location /static {
        alias /var/sites/svm-demo/master/app/app/static;
    }

    location / {
        proxy_pass http://unix:/tmp/svm-demo.singularaspect.com.socket;
        proxy_set_header Host $host;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/svm-demo.singularaspect.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/svm-demo.singularaspect.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = svm-demo.singularaspect.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name svm-demo.singularaspect.com;
    return 404; # managed by Certbot
}

Renewing the Certificates

First, I need to see what certificates I have on the server installed. I run this command:

sudo certbot certificates

It generates this output:

Found the following certs:
  Certificate Name: words.divisionlab.com
    Domains: words.divisionlab.com
    Expiry Date: 2019-11-20 14:48:08+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/words.divisionlab.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/words.divisionlab.com/privkey.pem
  Certificate Name: www.divisionlab.com
    Domains: www.divisionlab.com
    Expiry Date: 2019-11-20 14:45:57+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.divisionlab.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.divisionlab.com/privkey.pem

Now, I can run the command to renew them:

sudo certbot certonly --force-renew --cert-name words.divisionlab.com

This presents me with an authentication option to select:

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3

I select the third option and provide the file system path when this prompt appears:

Input the webroot for words.divisionlab.com: (Enter 'c' to cancel):

This allows the certbot to verify the ownership and to update the certificates.

Once this is done, I need to restart the Apache server and reload Nginx to start using the updated certificates.


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *