Certbot: Automating Nginx SSL Renewal

Posted on 2024-11-17 In Linux 评论: Views:

Received a certificate renewal notification from Tencent Cloud, but when applying for a new certificate, I found out that Tencent Cloud no longer offers free one-year certificates:

Starting from April 25, 2024, the validity period of new free certificates issued by Tencent Cloud will be adjusted to 90 days.

Since I’ve always updated certificates manually, doing it every three months feels quite tedious. So, I decided to explore Certbot from Let's Encrypt. My only concern was how to prove ownership of a subdomain. After trying it out, I realized this wasn’t an issue at all, as Certbot only issues certificates and doesn’t pose any threat to the website itself.

Here are the configuration steps for Certbot. In fact, it’s very simple and only requires running a few commands.

Installing Certbot

Here, I chose to install Certbot using apt instead of the recommended snap. Personally, I find snap to be too heavy compared to the lightweight nature of apt. I also prefer not to see a bunch of unnecessary snap entries cluttering the output of df -lh.

$ apt update
$ apt install certbot

Obtaining a Certificate

The command to obtain a certificate is straightforward:

$ certbot certonly --nginx -d yourdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

If you encounter the error: The requested nginx plugin does not appear to be installed, you need to install the following package:

$ apt install python3-certbot-nginx

Afterward, simply repeat the command:

$ certbot certonly --nginx -d yourdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xx@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for yourdomain.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2025-02-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Since this is the first time running Certbot, you’ll need to answer a few questions, such as providing an emergency email and agreeing to the terms of service. Once completed, the certificate files will be stored in the /etc/letsencrypt/live/yourdomain.com/ directory.

For subsequent renewals, these questions won’t be asked again, and the process can be completed with a single command:

$ certbot certonly --nginx -d yourdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for yourdomain.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2025-02-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Updating the Website's Certificate File Path

The website's certificate configuration is located at /etc/nginx/sites-available/yourdomain.com. Update the following two lines:

server {
    server_name yourdomain.com;
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ...
}

After making the changes, test the Nginx configuration to ensure it’s correct:

$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx to apply the changes:

$ nginx -s reload

Configuring Automatic Certificate Renewal

Create a new cron job:

$ sudo crontab -e

Add an entry to execute the certificate renewal every day at 3:28 AM:

28 3 * * * certbot renew --nginx --quiet