Previously, we wrote how to easily install Let’s Encrypt SSL Certificate. Here Are Steps To Update letsencrypt to certbot For the Users Who Used Former Before letsencrypt Became certbot. It is Mandatory For Ubuntu 16.04 LTS. Ubuntu has old apt version agent. Such users who used apt-get install letsencrypt should follow this guide too.
Why Follow The Steps To Update letsencrypt to certbot?
Ubuntu 16.04 LTS clearly gives error for the old repository. You may get errors while trying to renew related to the files under /etc/letsencrypt/renewal/ or get more bizarre errors with server. Obviously, it is better to keep everything up to date. letsencrypt is not forward compatible to certbot. Who followed our guide need not to delete anything but only do the steps we have written under Steps To Update letsencrypt to certbot subheader. You need to remove /opt/letsencrypt, that is optional.
In case you installed Ubuntu’s letsencrypt software using apt-get install letsencrypt, you probably should purge the installation. For this kind of easy work, we do not need apt version of application, instead cloning from their git will keeps stuffs up to date and possibly distro neutral. There is nothing to keep, just run sudo apt-get purge --auto-remove letsencrypt to remove all stuffs including your old SSL certs. Loss of certificate does not matter, we will generate now in the next steps again. You can however keep a backup. You should have this stanza on your server blocks :
---
1 2 3 4 5 | location ~ /.well-known { allow all; # change the path if needed root /var/www/html; } |
The above is needed to avoid error.
Steps To Update letsencrypt to certbot
We will keep all file names as default path and file names. We are using our domain bmch.in in this example. You must change bmch.in to your domain name while running the commands. Default root of Nginx is /var/www/html for this Ubuntu 16.04 and domain bmch.in. Change the root path if needed. Obviously run the basic commands :
1 2 | apt update apt install git |
then clone to /opt/certbot and symlink with /usr/bin/certbot :
1 2 | sudo git clone https://github.com/certbot/certbot /opt/certbot sudo ln -s /opt/certbot/certbot-auto /usr/bin/certbot |
It is just easy to generate certificate, just run command in this format :
1 | sudo certbot certonly --webroot -w /var/www/html -d bmch.in -d www.bmch.in |
/var/www/html is our web root for the domain bmch.in. bmch.in, www.bmch.in are our domains. You should adjust only these two parameters. Done. Now, change directory to (adjust your domain name) :
1 | cd /etc/letsencrypt/live/bmch.in/ |
Generate Diffie-Hellman key :
1 | sudo openssl dhparam -out dhparam.pem 2048 |
wget this certificate for OSCP stapling :
1 | wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem |
Essentially you are follow our previous we wrote easily install Let’s Encrypt SSL certificate guide except the old commands. Use that guide’s optimizations, configurations.
This is exactly we should have for the above example domain:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | ssl on; access_log off; ssl_certificate /etc/letsencrypt/live/bmch.in/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/bmch.in/privkey.pem; ssl_dhparam /etc/letsencrypt/live/bmch.in/dhparam.pem; ssl_stapling on; ssl_stapling_verify off; ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; ssl_trusted_certificate /etc/letsencrypt/live/bmch.in/lets-encrypt-x3-cross-signed.pem; ssl_ecdh_curve prime256v1; ssl_session_cache shared:NginxCache123:20m; ssl_session_timeout 4h; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; #add_header Public-Key-Pins 'pin-sha256=" "; pin-sha256=" "; report-uri=" "; max-age=5184000; includeSubDomains'; #add_header 'Content-Security-Policy-Report-Only' 'default-src self https:; report-uri '; |
Run :
1 2 | nginx -t service nginx restart |
We will advice you to follow rest of our easy install Let’s Encrypt SSL certificate guide’s hyperlinks to optimize. It is likely that you read wrong stuffs for other matters too.
Where is My Auto Update Script?
First check by dry run :
1 | sudo certbot renew --dry-run |
No error will be returned :
1 2 3 4 | ... Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/bmch.in/fullchain.pem (success) ... |
Now first create a log file :
1 | touch /var/log/certbot.log |
Then run :
1 | nano /etc/cron.weekly/certbot |
and copy paste this content :
1 2 3 | #!/bin/sh certbot renew >> /var/log/certbot.log service nginx reload |
You can test the work of the above cronjob by :
1 | sudo sh /etc/cron.weekly/certbot |
Run cat on log file :
1 | cat /var/log/certbot.log |
To clear the log, you should run :
1 | echo " " > /var/log/certbot.log |
Anything more?
Tagged With how to update certbot , update certbot ubuntu , letsencrypt update certificate , certbot update cert , certbot ubuntu 16 update , update letsencrypt ubuntu , ubuntu letsencrypt update certificate , letsencrypt update , how to update letsencrypt , windows letsencrypt certbot vs pkisharp