Letsencrypt Certificates

After installing Letsencrypt, you also need to install Cerbot which is required for creating and renewing certificates. Letsencrypt certificates expire every 3months. They can be renewed with a cron job before expiry

Sources

• https://letsencrypt.org/getting-started/
• https://certbot.eff.org/lets-encrypt/debianbuster-apache
• https://www.ceos3c.com/open-source/install-certbot-ubuntu-16-04-auto-cert-renew/

Install Letsencrypt

$ sudo apt install -y letsencrypt

# install certbot
$ sudo apt-get install certbot python-certbot-apache

Generate a certificate for your domain

Get certificates for your domain and sub-domains and have Certbot automatically edit Apache configurations for domains to start using Letsencrypt certificates.

# Certbot will automatically insert certificate info into Apache config files
$ sudo certbot --apache

# this command if you want to edit Apache configs yourself
$ sudo certbot certonly --apache

Sample Apache Config

Example of SSL certificate information added to Apache VHost config files

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin webmaster@localhost

        ServerName  www.example.com
        ServerAlias www.example.com

        #Redirect "/" "https://www.example.com/www"

        DocumentRoot /var/www/html/www.example.com/public_html/www

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem  ## (certificate file)
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem  ## (key file)
    </VirtualHost>
</IfModule>

Restart Apache web server for changes to take effect

$ sudo systemctl reload apache2.services

See if certificates are due for renewal

This will tell you when your certificates are due for renewal

$ sudo certbot renew --dry-run

Add to crotab auto renew - check daily every two hours

$ crontab -e

0 */2 * * * sudo certbot renew