Let's Encrypt our Website

As suggested in the Let's Encrypt Getting Started Guide I use the Certbot ACME client.

There are many ways to run the Certbot. A while ago I installed it locally on my Mac with Homebrew:

$ brew install certbot
==> Downloading https://homebrew.bintray.com/bottles/certbot-0.9.1.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring certbot-0.9.1.sierra.bottle.tar.gz
🍺  /usr/local/Cellar/certbot/0.9.1: 1,969 files, 13.8M
$ mkdir config logs work
$ certbot certonly --config-dir config --logs-dir logs --work-dir work \
    --standalone -d planets.datenkollektiv.de

So far so good. But every now and then you need to renew your certificate. since this is a rather tedious task we are going to automate this steps.

Add a task to renew the certificate to your cron job list:

15 0,12 * * * letsencrypt renew -a webroot --webroot-path=/var/www/letsencrypt

and allow HTTP access to .well-known (usually we do forward all HTTP access to HTTPS) in NGinx.

location /.well-known {
    alias /var/www/letsencrypt/.well-known;
}

Finally you should test your sever with a service like SSL Labs to get an overall impression of your security rating...

Show Comments