Let’s encrypt


Get Certbot the linux client.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

I recommend installing it in:

mv certbot-auto /opt/certbot-auto

Create an alias for it:

alias certbot-auto='/opt/certbot-auto'

Refresh bash:

. ~/.bash_profile


Allow HTTPS to your server:

Port 443

Enable SSL module:

sudo a2enmod ssl

Add your naked example.conf and www-example.conf.

Try letting certbot-auto setup everything. This will create both example-le-ssl.conf and www-example-le-ssl.conf .

certbot-auto --cert-name example.com -d example.com,www.example.com --apache --redirect

Edit example.conf and example-le-ssl.conf to redirect to https://www.example.com:

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://www.%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Make sure your .htaccess (in your app’s root) doesn’t have any weird redirect. Otherwise you’ll get:

The client lacks sufficient authorization

Auto renew

The cert expires in 90 days. Create a crontab to check everyday:

0 5 * * * /opt/certbot-auto renew --quiet --no-self-upgrade
12 5 * * * /opt/certbot-auto renew --quiet --no-self-upgrade

Renewal will fail if there are any redirects from HTTP to HTTPS.


redirect http to https

certbot user guide

2 thoughts on “Let’s encrypt

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s