Using certbot to obtain and renew Let's Encrypt SSL certificates
1. webroot plugin
We will use this plugin as less intrussive while still offering automated authentication. That is, it will not configure your web server to use ssl or the certificate you just have obtained, but will automate the process you have to follow to obtain and renew your certificate.
For you to be able to use this plugin, you have have to:
- have a shell account in your web server system and be able to acquire root privileges via su or sudo
- know the path(s) of your domain(s) document root directories
- be sure your server will have no problem with serving files located within hidden directories (that is, directories whose name's first character is a dot) and
- have certbot installed in your web server system.
2. Before using certboot
If you are not serving your domain(s) already through SSL, you could configure your web server to use SSL on your domains(s) with an auto-signed certificate before and verify that it works. That way you'll separate that procedure from the task of obtaining a CA signed certificate. Anyway, you can use the webroot method even if your web server isn't still configured to work with SSL.
3. Doing the job
Take into account that first time you use certbot, it will create your account in Let's Encrypt site and, in order to do so, it will ask you for your email address and to accept Let's Encrypt account terms of use.
So, supposing your only domain's name is myprettydomain.net and its document's root path is /var/www/myprettydomain, you'll issue:
sudo certbot certonly --webroot -w /var/www/myprettydomain -d myprettydomain.net
... and, voilá, you'll have your shine new Let's Encrypt signed SSL certificate (after filling email address and accepting terms of use if it's your very first operation with Let's Encrypt).
The net result of this is that you have a link at /etc/letsencrypt/live/privkey.pem with your certificate's private key and another at /etc/letsencrypt/live/cert.pem with your new certificate.
First one is the path that you should use for Apache's SSLCertificateKeyFile or Nginx ssl_certificate_key. The second one for Apache's SSLCertificateFile or Nginx ssl_certificate.
4. Renewal
Take into account that Let's Encrypt certificates have, atw, only three months of expiration time, so you have to pay attention to renewal. The easiest and preferred way of doing it is to use de renew command of certbot. Not only it will renew all and only certificates next to expiry but can be easily integrated into system-wide crontab to automate certification renewal.
That's what you can do:
echo "certbot renew | mail -s 'web server certificate renewal' whoever" > /etc/cron.weekly/certbot
... but note that if you are using a certbot package included in your distribution, it likely already includes some cron-based method to renew your certificates.