Automatic certificate renewal with Let's Encrypt

 

Automatic certificate renewal with Let's Encrypt

Recently, as a number of domestic manufacturers such as Tencent Cloud and Alibaba Cloud have adjusted the free SSL certificate period from 1 year to 90 days, it has brought a lot of trouble to maintenance. Originally, SSL certificates only needed to be updated once a year, but now they need to be updated 4 times a year, which is really too troublesome.

So I looked for a service that could automatically update SSL certificates for free, that is, Let's Encrypt with Certbot to automatically update certificates.

First, let me introduce these two services:

What is Let’s Encrypt

Let's Encrypt is a certificate authority (CA) that provides free SSL/TLS certificates. It was founded by the non-profit organization Internet Security Research Group (ISRG) to improve the security and privacy protection of the Internet.

Using SSL/TLS certificates can encrypt the communication between your website and users, and protect your users from security threats such as man-in-the-middle attacks. In the past, obtaining SSL/TLS certificates required a certain fee and a relatively cumbersome configuration process, which limited many small websites and personal blogs to use SSL/TLS certificates.

Let's Encrypt provides an automated certificate issuance process that makes it easy to obtain free SSL/TLS certificates while reducing the complexity of configuration. Unlike traditional commercial CAs, Let's Encrypt certificates are only valid for 90 days, but can be extended through an automated renewal process, making certificate management more convenient.

The free and easy-to-use Let's Encrypt certificates have been widely recognized and supported, and have become one of the preferred certificate authorities for many website administrators.

What is Certbot?

Certbot is a free and open source software tool for automating the use of Let's Encrypt certificates to enable HTTPS on manually managed websites .

Certbot is produced by the Electronic Frontier Foundation (EFF), a 501(c)3 nonprofit organization based in San Francisco, California, dedicated to defending digital privacy, free speech, and innovation.

How to apply for a free SSL certificate

1. First, open  the Certbot  website and select our operating system and running web server software:

2. Log in to the server via SSH and install snapd:

Install snapd through the following command line:

sudoaptupdatesudoaptinstallsnapd

3. Remove certbot-auto and any Certbot OS packages

If you installed any Certbot packages  using your OS package manager (such as  apt, , dnf or  ), remove them before installing the Certbot snap to ensure that when you run the command  you use the snap and not the installation from your OS package manager. The specific command to do this depends on your operating system, but common examples are  , ,  or  .yumcertbotsudo apt-get remove certbotsudo dnf remove certbotsudo yum remove certbot

4. Install Certbot

Install Certbot by executing the following command:

sudosnapinstall --classiccertbot

5. Set up a soft link for the Certbot command

Set up a soft link to the Certbot command by executing the following command:

sudoln -s/snap/bin/certbot/usr/bin/certbot

6. Obtain and install the installation certificate

Run the following command to obtain a certificate and have Certbot automatically edit your nginx configuration to serve, enabling HTTPS access in one step:

sudocertbotcertonly --nginx

The Certbot package on your system comes with a cron job or systemd timer that automatically renews certificates before they expire.

After that, when we visit the website, we can see that https access has been automatically enabled, and the maintenance is automated. The certificate is automatically renewed upon expiration, eliminating the trouble of manual maintenance. Isn’t it great 👍?