FREE Let's Encrypt SSL certificate via Certbot and auto renew

SSL certificate from Let's Encrypt is free. That is the the whole point of why people are getting Let's Encrypt's SSL certificate. Their SSl are supported in all modern browsers. The only con is the certificate expire in 3 months. However, we can make the renewing process easier with cron.

This guide is for server that already have https setup correctly, and will NOT cover how to setup https or modify server ssl configuration file.

Step 1, get Let's Encrypt's client: Certbot.

Most systems already have Certbot package in the repository. You can check and follow the installation step from

*You can add more domain to above command if you like.

Step 2, use CertBot to get SSL certificate for domain1 and domain2.

*We only need CertBot to generate certificate only in this case and we don't want CertBot to touch SSL configuration file.

./certbot certonly --email -d -d -d -d

Pick 1-3 for according to your server setup if you see below feedback.

How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache)
2: Place files in webroot directory (webroot)
3: Spin up a temporary webserver (standalone)
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 

CertBot will automatically verify your domain(s), generate key, and create CSR. Your will see Congratulation! note after all processes are completed. Total about 20 seconds.

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert
   will expire on 2017-02-31. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

Step3, check if your SSL certificate is in /etc/letsencrypt/live/ folder. You should have below files.

privkey.pem  : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem    : used for OCSP stapling in Nginx >=1.3.7.
cert.pem     : will break many server configurations, and should not be used without reading further documentation.

Step 4, point your SSL certificate, private key, and chain to the new generated SSL certificate location with correct names.

(How to? please refer to this guide: Configuring HTTPS servers)

Step 5, create a auto renewal check task to have your server run CertBot to check the certification expiration date everyday to make sure your SSL is not expired.

certbot renew --noninteractive --renew-hook 'sudo systemctl reload nginx'

Leave a Reply

Your email address will not be published. Required fields are marked *