====== Ubuntu - Certificates - Let's Encrypt Certificates ======

----

[[Ubuntu:Certificates:Let's Encrypt Certificates:Create and Update a LetsEncrypt SSL Certificate with CertBot|Create and Update a LetsEncrypt SSL Certificate with CertBot]]

----

Install the Let's Encrypt client, certbot:

<code bash>
sudo apt-get install letsencrypt 
</code>


If you already have a webserver running, it is recommended choosing the **"webroot"** plugin.

<code bash>
sudo letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
</code>

  * This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.

<WRAP info>
**NOTE:**  Historically LetsEncrypt did not issue wildcard certificates by design, so you probably want to get a cert for www.example.com and example.com.

But recent changes allow this, such as:

<code bash>
certbot certonly --cert-name *.sharewiz.net -d sharewiz.net,www.sharewiz.net,wiki.sharewiz.net
</code>
</WRAP>


<WRAP info>
**NOTE:**  To use the webroot plugin, your server must be configured to serve files from hidden directories.

If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.
</WRAP>


<WRAP info>
**NOTE:** To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:

<code bash>
letsencrypt certonly --standalone -d example.com -d www.example.com
</code>

</WRAP>


<WRAP info>
**NOTE:**  The Let's Encrypt client creates a temporary file in webroot-path/.well-known/acme-challenge/ containing the token used by the Let's Encrypt server to verify that you own the domain you are attempting to get a free ssl certificate for.
</WRAP>


----

===== Config Files =====

The file /etc/letsencrypt/configs/my-domain.conf, where my‑domain is your fully qualified domain name (for example, www.example.com)

<file bash /etc/letsencrypt/configs/my-domain.conf>
# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains = my-domain
#domains = www.example.com,example.com,www.test.com,test.com

# increase key size
rsa-key-size = 4096

# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory

# this address will receive renewal reminders
email = my-email

# turn off the ncurses UI, we want this to be run as a cronjob
text = True

# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /var/www/example/
</file>

<WRAP info>
**NOTE:**  For multiple domains do not include a space after the comma:

<code bash>
domains = www.example.com,example.com,www.example2.com,example2.com
</code>

</WRAP>

----

===== Generate your first cert =====

To generate your first cert, open a shell and execute the letsencrypt-auto script

<code bash>
# cd /root/letsencrypt
# ./letsencrypt-auto --config /etc/letsencrypt/configs/example.com.conf certonly
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/mydomain.conf certonly

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.example.com/fullchain.pem. Your cert will
   expire on 2016-02-05. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
</code>

<WRAP info>
**NOTE:**  The **certonly** command: we only want to issue certificates and don't want the client to fiddle with our nginx config.
</WRAP>

----

===== NginX config =====

Update your nginx sites to use the new certificate and private key:

<file bash /etc/nginx/sites-available/example.com>
server {
  ...

  ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;

  ...
}
</file>


Also add following lines in your nginx config:

<file bash /etc/nginx/sites-enabled/default>
#  location ~ /.well-known {
#    allow all;
#  }

#  location /.well-known/acme-challenge {
#    root /var/www/example;
#  }

  location ~ /\.well-known\/acme-challenge {
    allow all;
  }

</file>

otherwise it will response an unauthorized error.

----

===== Permissions =====

We need a user www-data to be able to run the Python script letsencrypt-auto.

----

===== Restart Nginx =====

Verify the configuration file is syntactically valid and restart NGINX:

<code bash>
sudo nginx -t && sudo nginx -s reload
</code>

----

===== Automating renewal =====

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire.

Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature.

You can test automatic renewal for your certificates by running this command:

<code bash>
letsencrypt renew --dry-run 
</code>


or Monthly cron job in /etc/cron.monthly:

<code bash>
#!/bin/sh

# create new certs
cd /root/letsencrypt

for conf in $(ls /etc/letsencrypt/configs/*.conf); do
#  ./letsencrypt-auto --renew --config "$conf" certonly
  ./letsencrypt-auto --renew-by-default --config "$conf" certonly
done

<WRAP todo>
**TODO:** Check if letsencrypt-auto is now certbot-auto. 
</WRAP>
 

# make sure nginx picks them up
service nginx restart
</code>

or

<code bash>
#!/bin/sh

cd /opt/letsencrypt/
#./certbot-auto --config /etc/letsencrypt/configs/my-domain.conf certonly
./certbot-auto --non-interactive --keep-until-expiring --agree-tos --quiet --config /etc/letsencrypt/configs/my-domain.conf certonly

if [ $? -ne 0 ]
 then
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
                 $ERRORLOG
 else
        nginx -s reload
fi

exit 0
</code>

<WRAP todo>
**TODO:**  if you want to make your crontab to work you need to agree by default, add these lines to your my-domain.conf
</WRAP>


  renew-by-default
  agree-dev-preview
  agree-tos


Create /var/log/letsencrypt/ if it doesn’t exist.


And now I get new certs on the first of every month. 


To test your cron monthly script you can use (as root):

<code bash>
run-parts -v /etc/cron.monthly
</code>

----

===== Add or remove addition domains to a certificate =====

<code bash>
certbot certonly --cert-name drdizzy.com -d drdizzy.com,www.drdizzy.com
</code>

<WRAP important>
IMPORTANT:  A DNS entry must exist for the entries so ensure this is added.
</WRAP>


----

===== Add all sub-domains to a certificate =====

<code bash>
certbot certonly --cert-name *.sharewiz.net -d sharewiz.net,www.sharewiz.net,wiki.sharewiz.net
</code>

<WRAP important>
IMPORTANT:  A DNS entry must exist for the * so ensure this is added.
</WRAP>


----

===== To Renew manually =====


<code bash>
letsencrypt certonly --webroot -w /var/www/peterroux.com -d peterroux.com -d www.peterroux.com
</code>



----

===== References =====

https://letsecure.me/secure-web-deployment-with-lets-encrypt-and-nginx/

https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/

https://gist.github.com/xrstf/581981008b6be0d2224f

https://gist.github.com/dominikwilkowski/435054905c3c7abc2badc92a0acff4ba

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04