Today I show you how to install Certbot on Ubuntu 16.04 and configure auto certificate renewal.
Certbot is an awesome tool that helps you to renew certificates on your web server to enable SSL. Certbot utilizes Let’s Encrypt, the popular free certificate authority provider.
This guide shows you how to get a completely free SSL certificate that renews itself, how awesome is that?
Enough talk, let’s get to work.
1. Installing the LAMP stack on Ubuntu 16.04
Of course, before you can do any kind of certification, you need to have your web server in place.
Simply follow my step-by-step guide on how to install LAMP on Ubuntu 16.04 and then continue with step 2.
2. Installing Certbot
First things first, as always, make sure you are on the latest update:
sudo apt-get update -y && sudo apt-get upgrade -y
After that we make sure we have the software properties common installed, usually it already is after update/upgrade:
sudo apt-get install software-properties-common
Alright, time to add the certbot apt-repository:
sudo add-apt-repository ppa:certbot/certbot
Now we got to run update again:
sudo apt-get update
And finally install Certbot:
sudo apt-get install python-certbot-apache
Perfect. Configuration time.
3. Configuring Certbot
We are going to install the Apache plugin that allows us to automatically obtain and install our certificates:
sudo certbot --apache
After running that, you are prompted a few questions, enter your email and domain like in the screenshot below:
Of course, you need to own the domain for this to work and the FQDN needs to be resolvable.
4. Configuring auto renewals
Last step. Time to configure the automatic renewals.
Let’s Encrypt certificates are valid for 90 days only. It’s highly recommended that you run a cron job at least once a day to check if a renewal is necessary.
You can do a dry run to see if the command works:
sudo certbot renew --dry-run
If it runs successful, you get a confirmation in your console window like so:
Now we are going to set up a Cronjob to automatically check for renewals every 59 minutes. This is a perfectly fine schedule, you could run it only once a day if you want but because it’s an SSL cert, I personally prefer it runs more often.
sudo crontab -e
First time you start this it will ask you which editor to use. Select 2 for /bin/nano and paste the text below on the bottom. Make sure it’s no # in front of the line:
59 * * * * sudo certbot renew
It should look like this:
Press CTRL+O to save and CTRL+ X to leave.
This will check for renewals every 59 minutes. If you want to run it once a day only, you can change the syntax to: 30 14 * * * / this will check just once a day at 14:30.
Here is a useful “Cron calculator” to help you create a schedule you like without having to understand how it works.
And there you have it. If you access your website now, you should get a valid SSL authentication returned.