Install & Configure Certbot on Ubuntu 16.04 LTS & Debian 9

Written by
on September 6, 2017

If you want to enable https on your site, you’ll need an SSL certificate from a certificate authority (CA). Remember the old days, when you had to pay an arm and a leg to get an SSL certificate for your site? Those days are over!

Let’s Encrypt (https://letsencrypt.org) is an open source CA that you can use to install SSL certificates for your websites (It’s a beautiful thing). This guide shows you how to install and configure Certbot with both Debian 9 and Ubuntu 16.04 LTS and nginx. Btw, you’ll need shell (SSH) access. If you use a cPanel to control your web sites, your host will have to provide this setup for you.

Debian 9

At the time of this writing, there isn’t a Debian 9 client. This simply means you’ll have to use cerbot without any configuration automation. Plugins simply do some steps for you, but don’t worry: Installing and configuring certbot is a walk in the park.

Install the Certbot Client

From a server command line, type in the following command:

$ sudo apt-get update

Once you’ve downloaded the latest updates, type the following to install the Certbot client:

$ sudo apt-get install certbot

Obtain a Certificate

Use the certonly command to obtain a certificate. Type the following in at the command line:

$sudo certbot certonly –standalone -d outergain.com -d www.outergain.com

The above command requests a certificate for both outergain.com and www.outergain.com. They are stored in the /etc/letsencrypt/ folder.

If there was a Debian 9 client, it would automatically edit your server block file. You’ll need to add the following, adjusting for your domain name:

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/outergain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/outergain.com/privkey.pem; # managed by Certbotif ($scheme != “https”) {
return 301 https://$host$request_uri;
} # managed by Certbot

Ubuntu 16.04 LTS

When installing and configuring Certbot on Ubuntu, there is a nginx client that automates some of the process, which is really nice!

Add the Certbot Nginx Client

Enter the following at your command line. You’ll notice the second command adds a specific certbot PPA to your repository list:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

Obtain the Certificates

Enter the following command:

$ sudo certbot –nginx

You’ll see all of the websites listed with numbers. BE CAREFUL here. Do not hit enter and pull certs for all the sites. Enter in the site numbers separated by commas:

127: www.test.com
128: outergain.com
129: www.outergain.com

——————————————————————————-
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 128,129

4) It will prompt about forcing secure – do this:

Please choose whether HTTPS access is required or optional.
——————————————————————————-
1: Easy – Allow both HTTP and HTTPS access to these sites
2: Secure – Make all requests redirect to secure HTTPS access
——————————————————————————-
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2

Your site should be ready! The nginx client plugin will automatically add the required information to your nginx server block. If for any reason this doesn’t happen, see the Debian 9 steps above for the required information.

Renewing Certificates

Let’s Encrypt certificates are good for 90 days. To renew any certificates about to expire, the command is:

certbot renew

However, you’ll need to renew them via a cron job. The command to run from cron is:

/usr/bin/certbot -auto renew –quiet

Make sure /usr/bin/certbot is the correct path. You can test this by trying the line straight from the server command line. Now, to add this to your cron jobs, type in:

crontab -e

Add the following line to your configuration:

0 1 * * * root /usr/bin/certbot -auto renew –quiet

The above will check for renewals every day (once a day is recommended). If you’d like assistance on understanding the cron format, visit this site: https://crontab.guru

And that’s it! Now you can add SSL capabilities to your sites, and let cron handle the certificate renewals. Congrats on installing and configuring Certbot on your Ubuntu 16.04 LTS or Debian 9 server!

Written By

Kyler Boudreau

Kyler Boudreau lives with his wife and daughter on the beautiful island of Kauai. Kyler is an independent filmmaker (see theatereleven.com). His wife, Sandi Boudreau, is a Crown Diamond level distributor with Young Living.

Connect with Kyler

Leave a Reply

Your email address will not be published. Required fields are marked *