Begin by downloading the
certbot utility and optionally move it to a directory in your path for convenience.
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
certbot-auto -h certbot-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are: (default) run Obtain & install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server renew Renew previously obtained certs that are near expiry revoke Revoke a previously obtained certificate register Perform tasks related to registering with the CA rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins Choice of server plugins for obtaining and installing cert: --apache Use the Apache plugin for authentication & installation --standalone Run a standalone webserver for authentication --nginx Use the Nginx plugin for authentication & installation --webroot Place files in a server's webroot folder for authentication OR use different plugins to obtain (authenticate) the cert and then install it: --authenticator standalone --installer apache More detailed help: -h, --help [topic] print this message, or detailed help on a topic; the available topics are: all, automation, paths, security, testing, or any of the subcommands or plugins (certonly, renew, install, register, nginx, apache, standalone, webroot, etc.)
--apache parameter to automate obtaining and installing the certificate, and the
-d argument to specify the domain you wish to certify. In my case I ran:
certbot-auto --apache -d blog.whabash.com
This will add an Apache
VirtualHost for the specified domain which listens on port 443 (SSL/TLS). The
certbot-auto command offers an option to force all requests to HTTPS, although I haven't tried it yet. I've instead been using the following
RedirectMatch directive which catches all requests to the HTTP (non-secure) port 80
redirects them to port 443 for processing by the secure
VirtualHost that was created in the previous step.
RedirectMatch permanent ^/(.*) https://blog.whabash.com/$1
Since the certificate is only valid for 90 days, the documentation recommends setting up the cron to run twice a day:
15 1,4 * * * root certbot-auto renew >> /user/ubuntu/le-renew.log