Certbot: Automating Nginx SSL Renewal
Received a certificate renewal notification from Tencent Cloud, but when applying for a new certificate, I found out that Tencent Cloud no longer offers free one-year certificates:
Starting from April 25, 2024, the validity period of new free certificates issued by Tencent Cloud will be adjusted to 90 days.
Since I’ve always updated certificates manually, doing it every three months feels quite tedious. So, I decided to explore Certbot from Let's Encrypt. My only concern was how to prove ownership of a subdomain. After trying it out, I realized this wasn’t an issue at all, as Certbot only issues certificates and doesn’t pose any threat to the website itself.
Here are the configuration steps for Certbot. In fact, it’s very simple and only requires running a few commands.
Installing Certbot
Here, I chose to install Certbot using apt instead of
the recommended snap. Personally, I find snap
to be too heavy compared to the lightweight nature of apt.
I also prefer not to see a bunch of unnecessary snap
entries cluttering the output of df -lh.
$ apt update $ apt install certbot
Obtaining a Certificate
The command to obtain a certificate is straightforward:
$ certbot certonly --nginx -d yourdomain.com Saving debug log to /var/log/letsencrypt/letsencrypt.log The requested nginx plugin does not appear to be installed Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
If you encounter the error:
The requested nginx plugin does not appear to be installed,
you need to install the following package:
$ apt install python3-certbot-nginx
Afterward, simply repeat the command:
$ certbot certonly --nginx -d yourdomain.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): xx@gmail.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Requesting a certificate for yourdomain.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem This certificate expires on 2025-02-15. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Since this is the first time running Certbot, you’ll need to answer a
few questions, such as providing an emergency email and agreeing to the
terms of service. Once completed, the certificate files will be stored
in the /etc/letsencrypt/live/yourdomain.com/ directory.
For subsequent renewals, these questions won’t be asked again, and the process can be completed with a single command:
$ certbot certonly --nginx -d yourdomain.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for yourdomain.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem This certificate expires on 2025-02-15. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Updating the Website's Certificate File Path
The website's certificate configuration is located at
/etc/nginx/sites-available/yourdomain.com. Update the
following two lines:
server { server_name yourdomain.com; listen 443 ssl; ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; ... }
After making the changes, test the Nginx configuration to ensure it’s correct:
$ nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart Nginx to apply the changes:
$ nginx -s reload
Configuring Automatic Certificate Renewal
Create a new cron job:
$ sudo crontab -e
Add an entry to execute the certificate renewal every day at
3:28 AM:
28 3 * * * certbot renew --nginx --quiet
Preview: