Installing Letsencrypt certificate and auto renewal

I wrote about this whilst LetsEncrypt was still in beta.

As per the comment on the post, you can use the certonly option, which will allow you to create and renew certificates without restarting nginx.

Once you have your certificate setup, you can add a simple cron entry to renew the certificate automatically for you:

5 0 1 * * /path/to/letsencrypt-auto -c /etc/letsencrypt/webroot.ini --user-agent letsencrypt-ubuntu-webroot --webroot -w /path/to/public -d <domain> certonly && sudo service nginx reload

webroot.ini has some defaults for the renewal to take place:

# webroot.ini general config file

rsa-key-size = 2048

email = <you@yourdomain.tld>

text = True
agree-tos = True
renew-by-default = True

authenticator = webroot

@deringer I kinda lost you. It seems like your blog post is out dated? Also, how should I initially create the certificate? Should I use webroot? If you can just assist in the actual command that generates the certificate and the cronjob command to renew a certificate it will be awesome.

Also, what is that "webroot" option I see often people talk about?

@kfirba the gist of the post remains the same, but I'll write an updated post noting the specific differences.

The webroot option allows you to verify ownership over the domain name you're creating certificates for without having to restart nginx, by putting a challenge file there, which the Lets Encrypt service will hit.

The command to generate the certificate and renew it (which you'll put into cron) are almost identical:

$ /path/toletsencrypt-auto -c /etc/letsencrypt/webroot.ini --user-agent letsencrypt-ubuntu-webroot --webroot -w /path/to/public -d domain.tld certonly
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: sudo /home/forge/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent letsencrypt-ubuntu-webroot --webroot -w /home/forge/example.tld/public -d example.tld certonly

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.tld/fullchain.pem. Your cert
   will expire on 2016-04-02. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again...

You then need to edit your site's nginx configuration file:

# /etc/nginx/sites-available/example.tld

server {
    listen 80;
    server_name example.tld;
    return 301 https://example.tld$request_uri;
}

server {
    listen 443 ssl;
    server_name example.tld;
    root /path/to/public;

    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/example.tld-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}

Save the file, then check your nginx config with sudo service nginx configtest. If all is ok, you can reload nginx with sudo service nginx reload.

Verify that everything is working by visiting http://example.tld in your browser, and make sure that it redirects to https://example.tld with the green padlock.

The last step is to add the renewal command to your crontab, which is the same as what was used to generate the initial certificate, with the addition of an nginx reload.

If you're running this as the forge user, you'll need to give it access to reload nginx as well as run the letsencrypt command as sudo without password. Add the following to the end of your /etc/sudoers file, before the # includedir /etc/sudoers.d line, assuming you've installed the letsencrypt command in your forgeuser's home directory:

# Allow forge user to reload nginx
forge ALL=NOPASSWD: /usr/sbin/service nginx reload
# Allow forge user to perform letsencrypt certificate renewals
forge ALL=NOPASSWD: /home/forge/.local/share/letsencrypt/bin/letsencrypt

# includedir /etc/sudoers.d

$ crontab -e 

# Automatically renew the certificate for example.tld
1 0 1 * * /path/toletsencrypt-auto -c /etc/letsencrypt/webroot.ini --user-agent letsencrypt-ubuntu-webroot --webroot -w /path/to/public -d domain.tld certonly && sudo service nginx reload

Now at the start of the month at 0001, the command will run and update your SSL certificate. If you have more than one certificate, try and space them out over a period of time so as to not hit LetsEncrypt rate limits. Better yet, don't have all your certificates renew on the 1st, but rather the day of month you created the initial certificate.

Hope that helps :)

Is it a good idea to get letsencrypt to re-issue monthly using this method in a cron-job? My thinking is it saves someone time in out-of-business hours to simply sling the webroot method into a cron.

Also if you have multiple domains with different webroot locations, can you give certbot one folder and symbolic link that folder into every webroot?

@LewisCowles1986 sounds like you're asking some questions I went through myself. Turns out LetsEncrypt recommends checking for renewals twice per day. I wrote a blog about getting more in-depth with this, including an example of multiple domains in a cert.

Turns out it was way easier than I imagine. Lots of progress has been made since the initial Forge LetsEncrypt Beta option. If you're interested: https://untold.studio/blog/2017/10/11/moving-beyond-laravel-forge-s-letsencrypt-beta/