Some time ago, the SSL certificate from Let`s Encrypt ceased to be updated on the site. Judging by the mistakes, the structure of the files for organizing the keys has changed somewhat. After researching the problem, the easiest option was to install SSL certificates using the Certbot utility. This utility installs certificates in automatic mode, and automatically creates a task to update the certificate, which is based either in the cron scheduler or in systemd .
Since the site server is running on Ubuntu 16.04, the installation kit was also selected for this OS. In the case of other operating systems, Certbot also provides manuals for other systems.
If you are setting up an SSL certificate for the first time, you can use the manual on the Certbot website, if you have already configured the certificate with other utilities, for example, with the helpencrypt package without using certbot, as shown in the next article , you will probably need to do a small cleaning Before installing Certbot`a.
Preparing to Install an SSL Certificate
First, make a backup directory letsencrypt
sudo cp /etc/letsencrypt/ /etc/letsencrypt.backup -r
After that you need to delete all configuration files and certificates of your site
rm -rf /etc/letsencrypt/live/${DOMAIN}
rm -rf /etc/letsencrypt/renewal/${DOMAIN}.conf
rm -rf /etc/letsencrypt/archive/${DOMAIN}
If you have configured the cron scheduler to automatically update the certificate, do not forget to delete this task.
Installing an SSL Certificate
Next, you need to install the Certbot utility for Ubuntu 16.04 (in this case, this version of the OS is used), with no standard repositories in this utility, so you need to use PPA developers.
$ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-nginx
Getting a certificate
The next step is to start the utility, which will automatically find the configured servers. I will remind you that Nginx is used on my site, so the configuration will be done for this type of server.
$ sudo certbot --nginx
The utility searches for domains that run on the site in the Nginx configuration files in the variable server_name .
If this variable is not set, then the domains for which you will receive certificates will not be found.
During the execution of certbot --nginx, a list will be displayed from which you will need to select for which server you are getting the certificate. And also asked how exactly the server should be configured: for working on wallpaper protocols (HTTP and HTTPS) or only on HTTPS. I recommend selecting the first option, because by HTTPS Yandex does not take robots.txt files. After executing this command, certbot will make the necessary changes to the nginx configuration files.
Also, you can only install certificates, and configure nginx configuration files manually. This is done with the following command:
$ sudo certbot --nginx certonly
Automating certificate renewal
The following command will perform a trial receipt of the certificate, which will not be installed.
$ sudo certbot renew --dry-run
If the certificate is successfully received, a task will be created to automatically update the certificate.
In the manual certbot`a it was said that the task will be created either in the cron scheduler or in the systemd. In my case, the task was created as a timer in systemd.
Find it was possible on the following path:
/etc/systemd/system/timers.target.wants/certbot.timer
To manually start the certificate update, you can use the following command:
certbot renew
