In this tutorial we’ll show how to obtain free Let’s Encrypt SSL certificates on Ubuntu 16.04 LTS server. We’ll also show how to automate SSL certificate renewal process, so that certificates are always up to date and valid.
Let’s Encrypt is a free, automated, and open Certificate Authority (CA). This means that anybody can obtain free SSL certificate for their website that will be recognized as secure in all major browsers.
Certbot is automatic client (developed by EFF) that fetches Let’s Encrypt SSL/TLS certificates for your web server.
Install certbot client
Add certbot PPA to list of repositories, update list of packages and install certbot:
add-apt-repository ppa:certbot/certbot apt-get update apt-get install python-certbot-nginx
Obtain SSL certificate
Obtain SSL certificate for example.com and www.example.com using certbot’s Webroot plugin:
certbot certonly --webroot -w /path/to/website/root -d example.com -d www.example.com -m [email protected] --agree-tos --non-interactive
Make sure to set your email address and path to website folder (document root).
After command successfully executes, folder /etc/letsencrypt/live/example.com will contain links to 4 files:
- fullchain.pem – SSL certificate and intermediate certificate. This file should be referred in web server configuration when SSL certificate is installed.
- cert.pem – SSL certificate.
- chain.pem – Intermediate SSL certificate.
- privkey.pem – Private key. This file should also be referred in web server configuration when SSL certificate is installed.
Automatic renewal
Certbot installation added cron job in /etc/cron.d/certbot which runs twice per day and checks if there are any certificates which will expire in less than 30 days. If there are such certificates they will be renewed. We can add cron job which runs 5 minutes after certbot cron job and reloads web server configuration (in our case Nginx), so if certificates get updated, web server will know about them:
5 */12 * * * /bin/systemctl reload nginx