This article will demonstrate how to automate the renewal of SSL certificates, specifically letsencrypt certificates, using the certbot utility with apache on an ubuntu OS. The examples in this article will work on Ubuntu 18.04 and greater. They may also work on previous version of Ubuntu but if not, the general concepts should remain.
See another one of our posts for general documentation on configuring SSL certificates in Apache.
Install and run certbot on Ubuntu
- SSH into the server where you are setting up letsencrypt for SSL certificate automation.
- While your OS may support installing certbot with its own package manager, the official documentation recommends using
snapd
to manage certbot. If you do not already have snapd, you can follow their official documentation here: https://snapcraft.io/docs/installing-snapd - If you already have snapd installed, ensure it is up to date by running the following command:
sudo snap install core; sudo snap refresh core
- Remove any and all certbot packages that may have been previously installed by your package manager. For ubuntu, this would be with the
apt
package manager. This will ensure that the certbot package installed by snapd will be ran, and not an older version installed by your package manager. For Ubuntu, the command is:
sudo apt-get remove certbot
- Install certbot with snapd
sudo snap install --classic certbot
- Create a symbolic link to ensure certbot can be ran
sudo ln -s /snap/bin/certbot /usr/bin/certbot
- Get and install your certificate. Note that this command will update your Apache SSL configuration files and reload the config with the new certificate. If you do not wish to update the configuration and only renew the certificate, add the
certonly
option to the command as shown in the second example.
sudo certbot --apache
sudo certbot certonly --apache
- Test that the certificate renewal will work by using the
--dry-run
option with certbot. If you encounter any errors they must first be fixed before the renewal will work. The letsencrypt certificates have a 90 day validity period and are renewed every 60 days, giving you 30 days to address any issues with the renewal.
sudo certbot renew --dry-run
The renewal will be scheduled in one of the following locations:
/etc/crontab/
/etc/cron.*/*
systemctl list-timers
- Confirm that the letsencrypt certificate was successfully installed in Apache by visiting your website in your browser, or by using the openssl s_client if you have OpenSSL installed.
Conclusion
This article has demonstrated how to install certbot on Ubuntu, install letsencrypt certificates in Apache, and automate the renewal of the letsencrypt certificates. Please leave us a comment if you have any questions or need help troubleshooting your letsencrypt renewal in an apache web server.
Leave a Reply