The system I use in this example is an older Debian installation and I won’t be a using a package manager, but the same can be done on Ubuntu or newer Debian releases. You can find instructions for many other system on the Certbot website.
First of all make sure that your firewall allows traffic through port 443.
If you are using iptables:
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Or if you are using UFW:
sudo ufw allow https
Next let’s get
certbot-auto from the official source:
And make it executable:
chmod a+x certbot-auto
The next step will differ depending on your webserver. If you are using Apache, just substitute the
--nginx flag in this command for
You may need
sudo for some of these commands, depending on your system.
This will generate the key files and certificate for you. The script will actually detect the sites you are running on your server and ask you for which of them to generate the certificate. Make sure to make the appropriate choices for your sites, such as choosing www and non-www domains, etc. You can also let certbot modify your webserver config for you, which is very handy.
Once that is done, let’s test if the renewal process works as well:
certbot-auto renew --dry-run
This should pass without problems as well. All that’s left to do now is to setup a cronjob to make sure that certbot will periodically try to renew the certificate for you.
And add the following line at the bottom of the file:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /path/to/certbot-auto renew
Save it, confirming to write to a temporary file. This is normal when making changes to crontab.
Now certbot will try to renew twice a day at a random minute of the hour. It won’t do anything though unless the certificate is actually up for renewal.
If you visit your site now, it should already be running on HTTPS. Most software will need some adjustments though, such as setting the
SITE_URL to the new https domain, or fixing links and image paths in your source code and CSS.