SSL certificates do not work forever, most of them need to be updated on an annual cycle, and sometimes you want to change the type of the SSL certificate in the middle of the cycle. For many developers, this may be the first time that they must get their hands dirty on a server, and they may find the whole prospect of .key and .crt files a little challenging.
Let’s Encrypt has literally changed the way we get, install and use SSL certificates. Thanks to automated procedures, as you will see in a few seconds, everyone can get free SSL certificates from Let’s Encrypt and install them in a matter of minutes, automatically.
- know about Let’s Encrypt.
- have basic command line skills.
- know about SSL.
- have shell access (direct or SSH) to your web server.
- already have a web server up and running.
- already have configured a firewall to open ports 80 and 443.
- own the domain name(s) you will configure (if not don’t try to obtain a certificate…)
Obtaining a Certificate
Step zero in all of this - obtaining your certificate.
Comodo Positive SSL certificates and Let’s Encrypt certificates are the two most popular SSL certificates currently used on the Internet. You can get a Comodo Positive SSL certificate issued for up to two years, Let’s Encrypt certificates expire every 90 days. Although this is 8 times more installations, if you follow the free route, this guide will show you how you can automate this process and you will never have to worry about it.
This guide will not cover this in detail, but if you need help, check out this guide.
1. Check SSL cert valid date
openssl x509 -in domain.crt -noout -enddate
2. Transfer the new certificate files
This step depends on who your SSL service provider is. I get this service from DigitalOcean and need to go to DigitalOcean to get new crt files. There are two crt files which you need to download.
Then you need to use the SCP command to copy these files to your server. If you forget the target location, simply go to your Nginx’s conf file to check the ssl_certificate parameter.
The ssl_certificate is your primary certificate; ssl_certificate_key must be a key file generated when creating a CSR.
NOTE: You will only update the expired SSL certificate, you do not need to do anything with the key file.
3. Concatenate the SSL and intermediate certs
You need to backup or delete the existing expired domain.crt first and then concatenate the two new crts.
cat 29393****.crt gd_bundle-g2-g1.crt >> domain.crt
4. Update Nginx config file
If you change the location of your SSL certificates, you need to update Nginx to know where they are. Find the Nginx configuration file and enter the full path to your your_domain_com.crt SSL server certificate and private key files.
Since Nginx version 0.7.14 the preferred way of enabling SSL is by using the ssl parameter of the listen directive:
listen 443 default ssl;
5. Test Nginx config
After making changes to the configuration file, it is recommended to check the file for syntax errors before restarting NGNIX. The following command will determine if there are any errors:
sudo nginx -t -c /etc/nginx/nginx.conf
6. Restart Nginx
New configuration changes require a restart of the server. Use the following command to restart the NGINX server:
sudo nginx -s reload
7. Verify installation
Check your SSL certificate using a browser to connect to your server using the https protocol. For example, if your SSL was issued to secure.mysite.com, enter https://secure.mysite.com in your browser.
Your browser's padlock icon will be displayed in a locked position if your certificate is installed correctly and the server is properly configured for SSL.
Installing an SSL certificate can be complicated but using Let Encrypt's Certbot client makes the whole process extremely simple.
1. Install CertBot client
Before you automate the Let’s Encrypt certificate renewal, you need to install Certbot. Certbot is the official Let’s Encrypt client and the easiest way to get a certificate. After connecting to your web server, open a terminal and type the commands appropriate for your CentOS installation:
sudo yum install epel
sudo yum install certbot
Now you need to install the plugin associated with your web server, this step is only for CentOS 7. Certbot currently supports several plugins.
sudo yum install certbot-apache
sudo yum install certbot-nginx
Alternate installation methods
If you are offline or your operating system does not provide a package, you can use an alternative method to install certbot.
The certbot-auto shell script installs Certbot, getting some dependencies on your web server’s OS and putting others in a python virtual environment. You can download and run it as follows:
wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto
The certbot-auto command automatically updates to the latest client release. Since certbot-auto is a wrapper for certbot, it takes the same command line flags and arguments. For more information, see Certbot command-line options.
For complete command line help, you can type:
You can verify that it was installed correctly by issuing the ls command to view the package.
After you locate your Cerbot-Auto package, the next step is to move the certbot-auto package to the /etc/letsencrypt/ directory.
sudo mv certbot-auto /etc/letsencrypt/
2. Setup Let's Encrypt certificate
If your website is running a web server with a supported plugin, you can use Certbot to automatically obtain and install a certificate.
sudo certbot --apache
sudo certbot --nginx
The interactive procedure will guide you through all the information needed to sign the certificate. If you have multiple virtual hosts/domains configured, Certbot will ask you to select the domains included in the new certificate.
If you do not trust Certbot to automatically install a certificate, you can generate only a certificate (and install it manually later) using the certonly parameter:
sudo cerbot --apache certonly
Here’s the output for a successful certificate issued:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/YOURSITE.TLD/fullchain.pem. Your cert will
expire on DATE. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3. Automating renewal with cron
Whatever procedure you follow, you now have a certificate. Since Let’s Encrypt! certificates are short-lived (90 days) you should renew them before they expire. You can do this manually (every 90 days) or automate the process using cron and the Certbot client.
Before setting up the automatic renewal process, you can test with the following command:
sudo certbot renew --dry run
If the certificate is installed correctly and everything is in order, near the end you will receive a message like this, and you can continue:
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all updates completed successfully. The following certificates have been renewed:
If you installed the Certbot package using apt – Good news! You do not need to configure Certbot cron because it is already configured for you!
If you installed Certbot manually (for CentOS 6) – You will have to set up Certbot cron manually, but do not be afraid! This is an easy set-and-forget procedure!
To open your crontab file, execute the following command:
sudo crontab -e
Now that you have opened your crontab file, the next step is to add a script to the bottom of the crontab file that will run once a week and automatically renew the SSL certificates if they are about to expire.
45 2 * * 6 cd /etc/letsencrypt/ && ./certbot renew && /etc/init.d/apache2 restart
45 2 * * 6 cd /etc/letsencrypt/ && ./certbot renew && /etc/init.d/nginx reload
4. Basic auto-renew testing
To test the automatic update script for errors, you can quickly perform a 'dry run' - a process in which the automatic update script will run without renewing the certificates. To perform a 'dry run', execute the following two commands:
cd /etc/letsencrypt/ && ./certbot renew --dry-run && /etc/init.d/apache2 restart
cd /etc/letsencrypt/ && ./certbot renew --dry-run && /etc/init.d/nginx reload
Congratulations! You have successfully configured your Let's Encrypt SSL certificates to automatically renew before they expire.
If you want to test the renewal process, go to the next step (optional). Since the script updates the certificates one month before the expiration date, you can use a SSL Checker to verify if the certificates have been successfully updated.
5. (Optional) Advanced auto-renew testing
In this optional test section of the tutorial, you will learn how to use the --force-renew command to simulate certificate renewal in a real environment.
To get started, check the current date and time on your web server. To do this, issue the date command.
Write down the date and time - either paste it into Notepad or write it down on a piece of paper. For example, I would write down 15:34:44.
5.1. Check current expiry date
Now that you recorded your system's current date and time, the next step is to check if your certificate is currently set to expire. To do this, execute the following command:
sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/example.com/cert.pem
Note: Make sure to replace example.com with your own domain name.
Preliminary checking of the expiration date of your SSL certificate will allow you to check if the auto-update script works correctly.
Remember the date and time when the certificate was issued - either paste it into Notepad or write it down on a piece of paper.
Based on the above example, I would write down 18:04:49.
5.2. Force Crontab script
Run the command sudo crontab -e to re-open your crontab file.
In this example, the date and time stamp of my web server showed 15:34:44. So, I would like the auto-renew script to execute a few minutes after 15:34:44 at 15:39:00.
To test the auto-renew script, you will need to temporarily change the script time and renew command. The numbers under m and h represent the time (minute and hour) when you want the script to execute (15:39:00 in the image above).
To test the auto-renew script, you will need to temporarily change the script time and renew command. The numbers under m and h represent the time (minute and hour) when you want the script to execute (15:59:00 in the image above).
59 15 * * * cd /etc/letsencrypt/ && ./certbot renew --force-renew && /etc/init.d/apache2 restart
59 15 * * * cd /etc/letsencrypt/ && ./certbot renew --force-renew && /etc/init.d/nginx reload
After the time at the beginning of the script (in this example, 15:59), check the system log to ensure that the script has been successfully executed.
To check the system log, navigate to the log directory by running cd /var/log/.
Next, print your system log to your screen by executing the command cat syslog.
If your test is successful, you will notice that the crontab script appears in your Apache or Nginx system logs, indicating whether the script was successfully executed.
5.3. Check if renewal was successful
To check if the renewal was successful, return to your home directory by running the command cd, then run the following command, replacing example.com with your domain name.
sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/example.com/cert.pem
After running the auto-renew Certbot script, you should notice that the expiration dates of your SSL certificate have changed and have moved to 3-months in the future.
It is also recommended to double-check with an online SSL certificate checker to make sure that your updated certificates are recognized.
5.4. Revert crontab script to default
Now that testing is complete, remember to change your crontab script to its default value from step 3 of this tutorial! The original crontab script was set to execute every Saturday at 2:45am.
Now that you have configured auto-renewal for your Let's Encrypt SSL certificates, you no longer need to worry about updating them again!
If you have any questions or comments about this tutorial, please leave them below.