Configuring auto renewing LetsEncrypt SSL certs with Nginx and Certbot

How to configure LetsEncrypt SSL certs to auto renew with Nginx

- Chris Pook, 19th July 2017

LetsEncrypt is a great free service which lowers the bar for entry to the secure world of serving secure web content over HTTPS.

Whilst the service is fantastic once you have it up and running, there is a lot of confusion and miss-information about on the web as to how to go about configuring it.

Below we have outlined the best practice steps to enable full SSL on your Nginx driven sites, including automatic renewal of the certificates. Renewal seems to be the main area of confusion with LetsEncrypt as the service can conflict with the services you are running on your server, including Nginx.

Installing the Software

First of all, make sure to remove existing versions of the LetsEncrypt and Certbot software from your server:


sudo apt-get remove letsencrypt
sudo apt-get remove certbot

This software removal will leave your certificate configuration in place so don't worry if you already had a version installed but couldn't get renewal to work etc. The new version of Certbot will pick up your old config no problem.

Next, add the LetsEncrypt software repo and update your system to use it:


sudo apt-get install software-properties-common
sudo apt-get update

Now you can go ahead and install the latest version of certbot:


sudo apt-get install certbot

The last step then is to add the Nginx plugin for Certbot, this is vital for the rest of the process:


sudo apt-get install python-certbot-nginx

You are now ready to setup your sites to use SSL in order to serve content over HTTPS. The certbot command will allow you to both generate and renew certificates at any time.

Generating LetsEncrypt Certificates

Certificates are generated based on the nginx vHosts you have setup on your server. It is suggested that you backup the vhosts before stating as Certbot may modify the contents based on the options provided. At their most basic you will want to have the following added to each vHost:

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;

    server_name examplesite.com;
    root /var/www/examplesite.com;
}

You can now start the wizard to generate the certificates.


sudo certbot --nginx

You should now be presented with a list of sites detected by their vhost entries:

Certbot generate cert site list

Enter the number of each site you'd like to be included in the certificate you are creating, comma separated.

You will now be given the option to make the site entirely HTTPS secure by forcing a redirect to the secure URL:

certbot force ssl

Once you make your selection the vhost will be updated accordingly to use the new certificate and to redirect to the HTTPS URL if desired. You can now test this immediately by loading up your site on the https:// domain.

http://letsencrypt.readthedocs.io/en/latest/using.html#nginx

Renewing LetsEncrypt Certificates

To renew certificates at any time, you may run the following command:


certbot renew --nginx

This will take you through the steps of renewal. LetsEncrypt will only allow renewal when the certificate is within 30 days of expiry. Once renewed the new certificate will be valid for 90 days from the date of renewal.

Renewing the certificate in this manner will not require you to stop and start Nginx and the Nginx config will be reloaded on a successful renewal so that visitors to the site are automatically served the new certificate.

Automating The Renewal

Finally, the most important step of this process, is to allow the certificate to auto renew, so that you as a server admin or not don't have to log in to the server to renew all your certs.

The renewal is run by cron. You should find a cronfile that was automatically added on installation to /etc/crond.d/certbot. If the file is not there you can create it.

Update the content of the cron file as follows:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root certbot -q renew --nginx

This will run the renew process twice daily, exactly as above when you ran it manually. The -q flag is provided to prevent any output being logged.

So there you have it, auto renewing LetsEncrypt certificates running on Nginx.