How to use Certbot, create a certificate for domain and submain

Introduction

Let’s Encrypt is a non-profit certificate authority run by (ISRG) that provides (TLS) encryption certificates at no charge. Certbot identifies the server administrator by a public key. The first time the agent software interacts with certbot generates a new key pair and proves to the Let’s Encrypt CA that the server controls one or more domains. It is similar to the traditional CA process of creating an account and adding fields to that account. 

In this tutorial, you will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu and set up your certificate to renew automatically. We will be using the default Nginx configuration file of a server vhosts. We is likely recommend to creating new Nginx server vhosts files for each domain, it helps avoid mistakes. Maintains the default files as a backup configuration as intended if your set up SSL using server is not working.

LEMP setup for Ubuntu 20 LEMP with WordPress for your reference.This setups nginx for wordpress setup.

If you want to Get your site on Lock https:// you should follow the steps below.

Prerequisites

To follow this tutorial, you will need:

  • A server set up initial server setup
  • A fully registered domain name. This tutorial will use unixcop.com throughout. I have my own dns server in my lab to be able to resolve dns requirements
  • Server should have running engine nginx or apache
  • See to it that you can access the fqdn and resolve the url using the fqdn

Installing Let’s Encrypt package

  1. Install package using apt and required packages.
root@worker1:~# apt install letsencrypt
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'certbot' instead of 'letsencrypt'
The following additional packages will be installed:
  python3-acme python3-certbot python3-configargparse python3-distutils python3-future python3-icu python3-josepy python3-lib2to3
  python3-mock python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-setuptools python3-tz
  python3-zope.component python3-zope.event python3-zope.hookable
Suggested packages:
  python3-certbot-apache python3-certbot-nginx python-certbot-doc python-acme-doc python-future-doc python-mock-doc python-setuptools-doc
The following NEW packages will be installed:
  certbot python3-acme python3-certbot python3-configargparse python3-distutils python3-future python3-icu python3-josepy python3-lib2to3
  python3-mock python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-setuptools python3-tz
  python3-zope.component python3-zope.event python3-zope.hookable
0 upgraded, 19 newly installed, 0 to remove and 18 not upgraded.
Need to get 1,700 kB of archives.
After this operation, 9,647 kB of additional disk space will be used.
Do you want to continue? [Y/n]
How to use Certbot, create a certificate for domain and submain

2. Check if certbot is running.

root@worker1:~# systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Sat 2021-07-31 01:34:56 UTC; 2min 56s ago
    Trigger: Sat 2021-07-31 12:33:22 UTC; 10h left
   Triggers: ● certbot.service

Jul 31 01:34:56 worker1 systemd[1]: Started Run certbot twice daily.
root@worker1:~#

Generate ssl certificate with certbot command

For more information, click the link

root@worker1:~# certbot certonly --standalone --agree-tos --preferred-challenges http -d unixcop.com --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Registering without email!
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for unixcop.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Install auto setup of certificate with certbot

  1. This will setup your apache and nginx certificate
certbot -d worker1.unixcop.com --manual --preferred-challenges dns certonly --dry-run

2. Now execute without –dry-run option

certbot -d worker1.unixcop.com --manual --preferred-challenges dns certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for worker1.unixcop.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.worker1.unixcop.com with the following value:

ksOKljnWxeniwgey6EQehXVZ3xxUQM5W94kUNsugvpU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...

Setup a wildcard for the certificate generated with certbot

  1. Execute the same command.


certbot -d *.unixcop.com --manual --preferred-challenges dns certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for worker1.unixcop.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.worker1.unixcop.com with the following value:

ksOKljnWxeniwgey6EQehXVZ3xxUQM5W94kUNsugvpU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...

Vhost configuration sample

server {

    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name worker1.unixcop.com;

    location / {
        try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/worker1.unixcop.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/worker1.unixcop.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = worker1.unixcop.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80 default_server;
    listen [::]:80 default_server;

    server_name worker1.unixcop.com;
    return 404; # managed by Certbot

}

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

x