Certbot, a Let’s Encrypt Client
I have been using Let’s Encrypt SSL/TLS certificates since they where available in open beta. Because back then there wasn’t any packaged client to obtain your certs I went with the letsencrypt and later certbot Github vanilla install.
That worked very well but is was a little bit cumbersome. The benefit was primarily to be up to date with the latest version and features.
In Mai 2016 the letsencrypt client became “certbot”
certbot vanilla install via git
|
1 2 |
cd /opt git clone https://github.com/certbot/certbot.git |
Obtain a new certificate in webroot mode:
|
1 2 3 4 |
cd /opt/certbot ./certbot-auto certonly -a webroot --webroot-path /var/www/letsencrypt \ -d www.example.com -d example.com \ --agree-tos --text --non-interactive --email hostmaster@example.com |
To renew, run:
|
1 2 |
# renew not earlier than 30 days before expiry /opt/certbot/certbot-auto renew |
To update certbot and pull in any changes just run git:
|
1 2 |
cd /opt/cerbot git pull |
Over time, your local clone of certbot clutters with stale branches. That’s not really a problem. But if you want it tidy you might run an occasional git remote prune origin after your pull.
Today certbot is available in all major Linux distributions.
But if you want the latest and greatest it might be necessary to pick a specific repository.
Ubuntu 16.04 with the latest certbot
In Ubuntu Xenial aka 16.04 there is an PPA with up to date versions available. To install, run:
|
1 2 3 4 5 |
apt-get update apt-get install software-properties-common add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot |
This package installs a very convenient cronjob which takes care of automatic cert renewal:
|
1 2 3 4 5 6 7 8 9 10 11 |
# /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # # Eventually, this will be an opportunity to validate certificates # haven't been revoked, etc. Renewal will only occur if expiration # is within 30 days. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew |
This cronjob reliably renews any due certificates. Awesome.