Download and Install Let’s Encrypt
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
Create an SSL Certificate
cd /opt/letsencrypt
sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
Renew SSL Certificates
cd /opt/letsencrypt
sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d example.com -d www.example.com
UPDATE (06/04/2019):
To prevent new certificates (like *-0001, *-0002) from being created on running the renew command, add a `--cert-name <domain name>` entry to force certbot to overwrite existing certificate instead of creating a new one.
sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default --cert-name example.com -d example.com -d www.example.com
UPDATE (04/05/2020):
Install and configure certbot certificate with nginx configuration:
sudo certbot --nginx -d example.com -d www.example.com
Automatically Renew SSL Certificates (Optional)
echo '@monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d
example.com -d www.example.com >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append
/etc/crontab
- @monthly: for simplicity, this command will execute at midnight on the first day of every month
- root: run the command as the root user
- /opt/letsencrypt/letsencrypt-auto certonly –quiet –standalone –renew-by-default -d example.com -d
www.example.com: letsencrypt-auto renewal command. Again, add -d example.com for each domain name you need to renew - » /var/log/letsencrypt/letsencrypt-auto-update.log: record the standard output and standard error to a log
file named letsencrypt-auto-update.log - tee –append /etc/crontab: save the new cron job to the /etc/crontab file
Update Let’s Encrypt
cd /opt/letsencrypt
sudo git pull
Automatically Update Let’s Encrypt (Optional):
echo '@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log' |
sudo tee --append /etc/crontab
If it doesn't work, stop the nginx server and then try the renewal command.
Check Expiration dates:
sudo openssl x509 -dates -noout < /etc/letsencrypt/live/<DOMAIN NAME HERE>/cert.pem
Sources:
https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains
https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates
https://certbot.eff.org/#ubuntutrusty-nginx
For Nginx server block config:
https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8