Install Let’s Encrypt to Create SSL Certificates


By Mansoor Khan last updated on May 04, 2020

Download and Install Let’s Encrypt

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt


Create an SSL Certificate

cd /opt/letsencrypt

sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

 

Renew SSL Certificates

cd /opt/letsencrypt
sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d example.com -d www.example.com

 

UPDATE (06/04/2019):

To prevent new certificates (like *-0001, *-0002) from being created on running the renew command, add a `--cert-name <domain name>` entry to force certbot to overwrite existing certificate instead of creating a new one.

sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default --cert-name example.com -d example.com -d www.example.com

 

 UPDATE (04/05/2020):

Install and configure certbot certificate with nginx configuration:

sudo certbot --nginx -d example.com -d www.example.com

 

Automatically Renew SSL Certificates (Optional)

 

echo '@monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d 
example.com -d www.example.com >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append 
/etc/crontab
  •  @monthly: for simplicity, this command will execute at midnight on the first day of every month
  • root: run the command as the root user
  • /opt/letsencrypt/letsencrypt-auto certonly –quiet –standalone –renew-by-default -d example.com -d
    www.example.com: letsencrypt-auto renewal command. Again, add -d example.com for each domain name you need to renew
  • » /var/log/letsencrypt/letsencrypt-auto-update.log: record the standard output and standard error to a log
    file named letsencrypt-auto-update.log
  • tee –append /etc/crontab: save the new cron job to the /etc/crontab file

 

Update Let’s Encrypt

cd /opt/letsencrypt
sudo git pull


Automatically Update Let’s Encrypt (Optional):

echo '@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log' | 
sudo tee --append /etc/crontab

 

If it doesn't work, stop the nginx server and then try the renewal command.

 

Check Expiration dates:

sudo openssl x509 -dates -noout < /etc/letsencrypt/live/<DOMAIN NAME HERE>/cert.pem

 

Sources:

https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates

https://certbot.eff.org/#ubuntutrusty-nginx

https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-web-server-and-reverse-proxy-for-apache-on-one-ubuntu-14-04-droplet

 

For Nginx server block config:

https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8