Note To Past Self: Use Certbot

Free, ubiquitous SSL certificates as provided by Let’s Encrypt have helped make the Internet a safer place by ensuring your personal details, passwords, internet searches and even which URL on any site you visit are un-snoopable.

Booko’s used SSL for most of its time on the Internet. In the bad old days, it was a tedious process to apply for and receive SSL certificates often involving using OpenSSL on the command line. Not only do you need to remember to renew your certificates in time, you need to remember to renew them early enough that you can relearn the skills needed to renew your certificates.

Not long after Let’s Encrypt appeared, I wrote some Ruby scripts which provided some amount of automation using the http-01 challenge and later, once I’d moved domains over to DNSimple, DNS-01 challenge.

These were definitely a step up from OpenSSL, but I still needed to run them every 90 days and to remember which script used DNS and which used HTTP. Somewhat less tedious.

I’m not sure why I didn’t use Certbot earlier, but now I’ve bitten the bullet, I’ve automated all the things. The simplest approach for me, is the HTTP-01 challenge. Booko use Nginx for most of the services it needs and the easiest way to make it all work was to use the certonly approach with a specified webroot. In your Nginx port 80 server stanza, add a location section such as:

    location '/.well-known/acme-challenge' {
      default_type "text/plain";
      root        /var/www/lets;
    }

When Let’s Encrypt attempts to validate the file it provides, it hits that well-known path on your web server. Once that’s in place, run certbot as root:

certbot certonly -d booko.info -d www.booko.info -d booko.com.au -d www.booko.com.au

When asked, set your webroot value to the value specified above: /var/www/lets in this case.

If all goes smoothly, you’ll find your certificates and keys in /etc/letsencrypt/live/<your domain>/ directory. Update your SSL configuration to point to these files.

Running certbot renew does what it says – renews the certificates provided they’re within 30 day of expiring. The version of certbot I use also adds a cronjob to /etc/cron.d/. You can list all your cron jobs with this command: systemctl list-timers – that list should include a certbot renew job. Now delete that calendar entry reminding you to renew your certificates!

Leave a comment