Download the 'certbot-auto' Utility
Begin by downloading the certbot utility and optionally move it to a directory in your path for convenience.
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-autoView the 'certbot-auto' Command Line Help Info
certbot-auto -h
certbot-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert. Major SUBCOMMANDS are:
(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
register Perform tasks related to registering with the CA
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
Choice of server plugins for obtaining and installing cert:
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
OR use different plugins to obtain (authenticate) the cert and then install it:
--authenticator standalone --installer apache
More detailed help:
-h, --help [topic] print this message, or detailed help on a topic;
the available topics are:
all, automation, paths, security, testing, or any of the subcommands or
plugins (certonly, renew, install, register, nginx, apache, standalone,
webroot, etc.)
Run the 'certbot-auto' Command with the Apache Plugin Argument
Use the --apache parameter to automate obtaining and installing the certificate, and the -d argument to specify the domain you wish to certify. In my case I ran:
certbot-auto --apache -d blog.whabash.comThis will add an Apache VirtualHost for the specified domain which listens on port 443 (SSL/TLS). The certbot-auto command offers an option to force all requests to HTTPS, although I haven't tried it yet. I've instead been using the following RedirectMatch directive which catches all requests to the HTTP (non-secure) port 80 VirtualHost and
redirects them to port 443 for processing by the secure VirtualHost that was created in the previous step.
RedirectMatch permanent ^/(.*) https://blog.whabash.com/$1Add the 'certbot-auto renew' Command to a Cron Job
Since the certificate is only valid for 90 days, the documentation recommends setting up the cron to run twice a day:
15 1,4 * * * root certbot-auto renew >> /user/ubuntu/le-renew.log