Certbot is the new Client from Let’s Encrypt. It’s the successor of the previews letsencrypt-auto Tool. With a simple Webserverconfiguration it’s easy to issue and renew certificates.
Installation
with the following commands the tool is downloaded and given the proper rights.
cd /opt wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
The folder /opt can be different of course.
If the tool works can be tested with the following command. For the first run some new packages might be installed and the tool itself updated.
/opt/certbot-auto --help
Create and request certificates
If Apache is used as the Webserver and it’s configuration isn’t out of the ordinary, certbot is able to activate https for selected domains automatically. Simply start the tool and check the provided options.
/opt/certbot-auto
But It’s still wise to create an backup of the apache configuration before hand.
To be sure, you can use certbot to only request the certificates and setup apache manually. The following example requests three domains using a let’s encrypt api module for apache.
/opt/certbot-auto certonly --apache -d domain.de -d subdomain.domain.de othersub.domain.de
If there is an error, your apache configuration might not be suitable for the module. You can still use the webroot method or the standalone mode. Webroot might fail if url rewrites are used by a project.
/opt/certbot-auto certonly --standalone -d domain.de -d subdomain.domain.de othersub.domain.de
For standalone mode your webserver has to be shut down before using certbot.
Renew certificates
With the old clients this was sometimes a difficult task. Quite often a custom script was needed to renew the certificates. But now with certbot in most cases the following command, started manually or via a cronjob, does the job.
/opt/certbot-auto renew
This checks all installed certificates and renews them if neccessary.
If the mode standalone was used, this still fails because the webserver is still running and blocks the port used by certbot to validate the domain. The following command line still does the job
/opt/certbot-auto renew --pre-hook "/etc/init.d/apache2 stop" --post-hook "/etc/init.d/apache2 start"
The –pre-hook and –post-hook option each specifiy a command that is called before and after certificates are renewed. They are not executed if now certificate needs to be renewed.
Sources: