Let's encrypt: automated renewal procedure11 Feb 2016 Tags:
Today I learned how to use Let’s encrypt certificate program to automatically and periodically renew HTTPS/SSL certificates at @Galeoconsulting. I hear you loudly wondering “Why?”. The reason is the Let’s encrypt initiative provides you free of charge certificates with limited lifespan. At the moment of writing the certificates are valid for 3 months. Manual update procedure is slow and painfull; hence the automation and this post.
Given the length, here’s a helpful table of contents.
- Prepare Webserver (nginx) for the acme challenge
- Create automatic renewal script
- Let’s encrypt it then (Pun intended)
- Let’s put it all together
I would recommend to take a look into Let’s encrypt
docker image; however in this particular case it’s
32bit box, so no Docker support at this moment.
Proceed with Let’s encrypt official client installation procedure.
Prepare Webserver (nginx) for the acme challenge
Part of Let’s encrypt automatic renewal process is Automatic Certificate Management Environment or ACME challenge.
In course of our work we don’t want to restart web-server just to be able to serve ACME challenge; so we will use webroot method to serve particular well-known verification locations from webserver directory.
When succeed - we will gracefully reload the server configuration with updated SSL certificates.
What’s happened? What did you do?
We instructed HTTP:80 website (which we use to perform
HTTP 301 Permanent
redirect to HTTPS/SSL version) to treat a special and “well-known”
/.well-known/acme-challenge location specially and to serve static content
from Let’s encrypt managed webroot directory
Create automatic renewal script
What does it do?
--textspecifies we want the script to interact to us using text interface (not ncurses dialogs).
--agree-toswe agree to Let’s Encrypt Subscriber Agreement. Please find the actual version at https://letsencrypt.org/repository/
--renew-by-defaultforces SSL cert renewal even if not expired.
--webrootspecifies we will use the Apache/Nginx webroot to host and serve Let’s encrypt generated challenge.
--webroot-pathpath for client to put generated challenge file to.
-m <<email>>DNS administrator email.
certonlyspecifies we only need the client to get the certificates; we will do the rest.
-d <domain> -d <another-domain>domains to generate SSL certificates for.
Let’s call it once, so we get our seed SSL certificates.
I would do it here and paste the result; unfortunately I reached the maximum
renewal quota (5 in 7 days or 7 in 5; something between those lines.
Basically I just got
Error creating new cert :: Too many certificates already
issued for: galeoconsulting.com error.
So, please try on your own and report your findings / misconfigurations if you do happen to stumble on something.
Ok. It was easy.
Let’s encrypt it then (Pun intended)
Let’s put it all together
The easiest way to perform the auto-renewal is to put it in cronjob (which also will notify us with email if something went wrong)
Try it. Enjoy it. Vuala.
NB. If you've found typos or errors, please suggest a correction or edit on github.