Certbot SSL

Every website needs an SSL certificate so that the website can load securely without warnings over https rather then http.

As I’m running my sites on Digitalocean barebones VPS with Apache, the process of installing a free ssl certificate for all my websites is quick, easy and fun! 😉

Install an SSL certificate using certbot

What type of SSL is installed By certbot?

Certbot, through Let’s Encrypt, installs Domain Validated (DV) SSL certificates. These certificates provide basic encryption and are suitable for most websites as they verify the ownership of the domain.

When is it set to renew?

Certbot SSL certificates, typically issued by Let’s Encrypt, are valid for 90 days.

Prerequisites

You will need Sudo user access to your webserver so that you have adequate permissions to install the certbot software and also the SSL certificate.

• sudo user access to server
• certbot installed

After ssh into your server and with certbot already installed you can run the following commands

List installed certificates

List all the currently installed ssl certificates. An view expiry date of certificate.

sudo certbot certificates

The above command will tell you if certbot is installed and what certificates are already installed.

Checklist before installing the certificate

Before running the install command there is some things you MUST do for a successful install.

• Your domain must be added to the server through the control panel
• You have updated your virtual host file
• Your dns is configured to point to the server you are about to install the certificate for.

Install an SSL certificate on Apache for your domain name

sudo certbot --apache -d example.com

Renew all certificates

The SSL certificates are set to auto renew every 90 days.

Renewal Security

For security improvements, disable port 80. However certbot needs port 80 to renew a certificate.

manually renew the certificates.

• re-enable port 80 in your Digital Ocean firewall
• renew your certificates

sudo certbot renew

Renew specific domain

sudo certbot renew --cert-name example.com

Install an ssl certificate on nginx for your domain name

The command for installing an ssl certificate for nginx is slightly different to the Apache install command.

sudo certbot --nginx -d example.com

Deleting a certificate

It can be handy to delete certificates if they are not required or not working correctly. Sometimes it’s best to start over by deleting the certificate and the reinstalling.

sudo certbot delete --cert-name example.com

Troubleshooting

fail to install

If the certificate fails to install. Your domain might not be delegated correctly. Try ping your domain name from your terminal to see if you get a correct ip address response. The correct ip address should be the ip address of your web server. If the ip address is incorrect then the domain name is pointing to the wrong server and the ssl will not install.

ping example.com

Ensure the ipaddress in the response matches the ipaddress of your server. If it does not match, dont try installing the certificate.

Dont keep trying to install the certificate. Certbot can ban you if you have too many failed attempts.

Fail to renew

When running a renewal command you can get this some other file is missing file does not exist error.

sudo certbot delete --cert-name mysite.com

Sometimes when manual renewing ssl certs. and you get this error, which relates to other obsolete certificates. You can fix this by manually removing the old certificates.

AH00112: Warning: DocumentRoot [/var/www/example.site/web/] does not exist
AH00526: Syntax error on line 16 of /etc/apache2/sites-enabled/example.site-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/example.site/fullchain.pem' does not exist or is empty

Remove the old certs

sudo rm /etc/apache2/sites-enabled/example.site-le-ssl.conf