Install & Configure Certbot on Debian 9
If you want to enable https on your site, you’ll need an SSL certificate from a certificate authority (CA). Remember the old days, when you had to pay an arm and a leg to get an SSL certificate for your site? Those days are over!
Let’s Encrypt (https://letsencrypt.org) is an open source CA that you can use to install SSL certificates for your websites (It’s a beautiful thing). This guide shows you how to install and configure Certbot with both Debian 9 and Ubuntu 16.04 LTS and nginx. Btw, you’ll need shell (SSH) access. If you use a cPanel to control your web sites, your host will have to provide this setup for you.
At this time, the Debian 9 client must be installed from the Stretch backports. Edit your /etc/apt/sources.list file and add the following:
deb http://ftp.debian.org/debian stretch-backports main
Install the Certbot Client
From a server command line, type in the following command:
Once you’ve downloaded the latest updates, type the following to install the Certbot client:
Ubuntu 16.04 LTS
When installing and configuring Certbot on Ubuntu, there is a nginx client that automates some of the process, which is really nice!
Add the Certbot Nginx Client
Enter the following at your command line. You’ll notice the second command adds a specific certbot PPA to your repository list:
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
Obtain the Certificates (Debian & Ubuntu)
Enter the following command:
You’ll see all of the websites listed with numbers. BE CAREFUL here. Do not hit enter and pull certs for all the sites. Enter in the site numbers separated by commas:
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 128,129
4) It will prompt about forcing secure – do this:
Please choose whether HTTPS access is required or optional.
1: Easy – Allow both HTTP and HTTPS access to these sites
2: Secure – Make all requests redirect to secure HTTPS access
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Your site should be ready! The nginx client plugin will automatically add the required information to your nginx server block. If for any reason this doesn’t happen, see the Debian 9 steps above for the required information.
*Note: As of January 2018 the Cerbot nginx client has an issue on certain platforms. They are fixing, but for now you’ll need to use the following command:
Let’s Encrypt certificates are good for 90 days. To renew any certificates about to expire, the command is:
However, you’ll need to renew them via a cron job. The command to run from cron is:
Make sure /usr/bin/certbot is the correct path. You can test this by trying the line straight from the server command line. Now, to add this to your cron jobs, type in:
Add the following line to your configuration:
The above will check for renewals every day (once a day is recommended). If you’d like assistance on understanding the cron format, visit this site: https://crontab.guru
And that’s it! Now you can add SSL capabilities to your sites, and let cron handle the certificate renewals. Congrats on installing and configuring Certbot on your Ubuntu 16.04 LTS or Debian 9 server!