Let's Encrypt is a certification authority that offers a straightforward path to creating and installing a TLS/SSL certificate. The process is simplified by using the Certbot client, which automates most, if not all, of the necessary steps.
For the following steps, you will need:
- Ubuntu 16.04 server and a sudo "non-root" user.
- A domain, e.g., "yourdomain.com".
- Configured DNS records for your server.
- An "A" record pointing "yourdomain.com" to your server's public address.
- An "A" record pointing "www.yourdomain.com" to your server's public address.
- Apache2 installed.
1. Certbot Client Installation
The first step to use Let's Encrypt to create an SSL certificate is to have Certbot installed on your server. Certbot is actively developed, so the packages offered by Ubuntu are often outdated. Therefore, we will add a repository from the developer with the latest packages.
Add the repository:
sudo add-apt-repository ppa:certbot/certbot
Update the package list:
sudo apt-get update
Now you can install the Certbot Apache package:
sudo apt-get install python-certbot-apache
Certbot is now ready for use.
2. Obtaining an SSL Certificate
Generating an SSL certificate for Apache is quite straightforward. The client will automatically get a new SSL certificate for its domain. To obtain a certificate, simply use the certbot command:
sudo certbot --apache -d yourdomain.com
If you want to use one certificate for multiple domains or subdomains, you can use additional parameters in the command:
sudo certbot --apache -d yourdomain.com -d www.yourdomain.com
Then Certbot will guide you through customizing the certificate step by step. It will ask for an email address for notifications and allow you to choose between enabling both HTTP and HTTPS access or redirecting all requests to HTTPS. You will receive a notification that the certificate installation is complete, along with information about the certificate's location.
3. Setting Up Automatic Certificate Renewal
An SSL certificate is valid for only 90 days, so you'll need to renew it. For automatic renewal, you can use the "cron" service. Open the "cron" configuration file with the following command:
sudo crontab -e
Select an editor for use and add the following line to the end of the configuration file:
15 3 * * * /usr/bin/certbot renew --quiet
This line will renew the certificate every day at 3:15 AM.
Petr Heralecký
26.04.2020 18:14:06
Pokouším se o instalace certbota, ale nedaří se mi to viz tento error: https://ibb.co/GTCQNdc tzn nemůžu potom spustit příkaz `certbot ...` protože ho server nezná.
Michal Švarc
19.07.2020 09:40:09
Pri instalaci jsem narazil na dvě chyby. První: Po zadání repozitáře, 'apt-get update' tvrdí že, 'Ign: 1 http://ppa.launchpad.net/certbot/certbot/ubuntu focal InRelease Err: 2 http://ppa.launchpad.net/certbot/certbot/ubuntu focal Release 404 Not Found [IP: 2001:67c:1560:8008::15 80]' Druhá: apt-get install python-certbot-apache neexistuje, můžete zkusit použít 'apt-get install python3-certbot-apache' Vlastně mám i třetí, ale tam asi půjde o mé chybné nastavení DNS
Matěj Kmínek
05.08.2020 13:31:56
Co takhle nějaké DNS api? Pokud by existovalo, bylo by možné certbot naučit automaticky obnovovat i wildcard certifikáty *.domena.cz