How to Install Let's Encrypt Nginx plugin (DigitalOcean)
Install lets Encrypt certbot client
EasiestSoft@ubuntu18.04:~$ sudo apt update
$ sudo apt install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update
$ sudo apt-get install certbot python-certbot-nginx
Check nginx site configuration
$ sudo vi /etc/nginx/sites-available/EasiestSoft.com
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name EasiestSoft.com www.EasiestSoft.com;
add_header Strict-Transport-Security max-age=31536000;
access_log /home/EasiestSoft.com/logs/EasiestSoft_access.log;
error_log /home/EasiestSoft.com/logs/EasiestSoft_error.log;
root /home/EasiestSoft.com/public;
index index.html index.htm;
}
server {
listen 80;
listen [::]:80;
server_name EasiestSoft.com www.EasiestSoft.com;
}
Install digitalOcean plugin on Ubuntu 18.04
Skip this section if you do not host your site via digitalOcean
$ sudo apt-get install python3-certbot-dns-digitalocan
$ certbot plugins
create a token on digitalOcean.com with write access, then:
EasiestSoft@ubuntu:~$ mkdir -p ~/.secrets/certbot
$ echo 'dns_digitalocean_token=token' > ~/.secrets/certbot/digitalocean.ini
$ chmod 600 ~/.secrets/certbot/digitalocean.ini
Run certbot command to set SSL automatically
EasiestSoft@ubuntu:~$ sudo certbot --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini --dns-digitalocean-propagation-seconds 120 -i nginx -d "*.EasiestSoft.com" -d EasiestSoft.com --server https://acme-v02.api.letsencrypt.org/directory
Check SSL configuration
$ sudo vi /etc/nginx/sites-available/EasiestSoft.com
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name EasiestSoft.com www.EasiestSoft.com;
add_header Strict-Transport-Security max-age=31536000;
access_log /home/EasiestSoft.com/logs/EasiestSoft_access.log;
error_log /home/EasiestSoft.com/logs/EasiestSoft_error.log;
root /home/EasiestSoft.com/public;
index index.html index.htm;
ssl_certificate /etc/letsencrypt/live/EasiestSoft.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/EasiestSoft.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = EasiestSoft.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host ~ ^[^.]+\.EasiestSoft\.com$) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name EasiestSoft.com www.EasiestSoft.com;
}
SSL_ERROR_RX_RECORD_TOO_LONG
Check SSL settings, it should be:
# no 'ssl on'
listen 443 ssl;
listen [::]:443 ssl;
Test SSL renew
EasiestSoft@ubuntu:~$ sudo certbot renew --dry-run
Cron Job
$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
The above cron job will be executed every 12 hours. If the file /usr/bin/certbot has the execution permission and there is no dir /run/systemd/system it will execute the renew command
systemd timer
You can check your systemd timers using command systemctl list-timers
$ systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Thu 2019-07-11 04:27:49 UTC 3h 53min left Wed 2019-07-10 22:58:52 UTC 1h 35min ago certbot.timer certbot.service
The certbot timer should be here /lib/systemd/system/certbot.timer
and it will execute the command specified here /lib/systemd/system/certbot.service
certbot.timer will execute the certbot.service at 12 am and 12 pm.
$ cat /lib/systemd/system/certbot.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true
Some tips
- Used
certbot renew --force-renewal
. Verified that certificates were renewed without user interaction. - /var/log/letsencrypt/letsencrypt.log
- /etc/letsencrypt/renewal/EasiestSoft.com.conf
Reference:
- https://devops.stackexchange.com/questions/3757/how-to-install-certbot-plugins
- https://certbot-dns-digitalocean.readthedocs.io/en/latest/
- https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx
©2012-2019 EasiestSoft