DigitalOcean Certbot Let’s Encrypt

DigitalOcean Certbot Standalone mode

Do you know that we can secure other kinds of services with Certbot’s standalone mode, such as a message broker, a mail server, and so on? Certbot provides a variety of options for validating the domain, configuring Apache and Nginx automatically, retrieving certificates, and so on.

Our Technical Experts will walk you through the following topics in this in-depth guide:

• Certbot installation
• Running Certbot
• Setting up the application
• Taking care of Certbot’s automatic renewals

However, before we get started, let’s go over the prerequisites:

• A server with a sudo-enabled and a non-root.user.  It should also be equipped with a basic firewall.

• A domain name that indicates to the server

• On the server, port 80 or 443 should be open and free.

How to install Certbot?

According to our Technical Support Team, we can install Certbot using the snap package. However, before we can do that, we must first install snapd. Fortunately, snaps are supported by Ubuntu 20.4; all we have to do now is ensure the snapd core is up to date:

sudo snap install core; sudo snap refresh core

If the server has a previous version of certbot, we can remove it with the following command:

sudo apt remove certbot

The certbot package must then be installed:

sudo snap install --classic certbot

The certbot command from the installation directory must then be linked to our path:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

How to run Certbot?

To demonstrate our control over the domain, we’ll use port 80 or 443 to respond to the Let’s Encrypt API’s cryptographic challenge.

sudo ufw allow 443
Output
Rule added
Rule added (v6)

We can then use Certbot to obtain the certificate. The –standalone option can be used here so that the Certbot can manage the challenge using its built-in web server. We can also use the -d flag to specify the domain for which we want the certificate. We can also use multiple -d options to cover multiple domains with a single certificate.

sudo certbot certonly --standalone -d the_domain

After running the above command, we must enter an email address and accept the terms of service. This is followed by a message indicating that the process was completed successfully and the location of the certificates.

How should the application be configured?

We’re going to look at what Certbot downloaded in this step. To list the directory that contains the keys and certificates, we can use the ls command, as shown below:

sudo ls /etc/letsencrypt/live/your_domain
Output:
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

Some software needs certificates in various formats, while others require certificates in their original format. In the latter case, we’ll need to write a script to move the fields around and change permissions as needed. In the latter case, we’ll need to write a script to move the fields around and change permissions as needed.

How to manage Certbot automatic renewals?

Let’s Encrypt certificates have a 90-day expiration date. The process of renewing a certificate is easier to automate.  This is handled by the certbot package, by adding a renew script to /etc/cron.d. The renew script runs two times a day, renewing certificates that are about to expire in 30 days.

We can use the renew hook option to run other tasks after renewal. We’ll need to update Certbot’s renewal configuration file to add the renew_hook option.

sudo nano /etc/letsencrypt/renewal/the_domain.conf

Are you looking for an answer to another query? Contact our technical support team.