search

fpereiro / backendlore

How I write backends
5.14k stars 254 forks source link

Certbot setup is outdated #17

Closed mcdado closed 4 years ago

mcdado commented 4 years ago

To configure HTTPS with nginx: if you own a domain DOMAIN (could be either a domain (mydomain.com) or a subdomain (app.mydomain.com)) and its main A record is pointing to the IP of an Ubuntu server under your control, here's how you can set up HTTPS (be sure to replace occurrences of DOMAIN with your actual domain :):

sudo add-apt-repository ppa:certbot/certbot -y
sudo apt-get update
sudo apt-get install python-certbot-nginx -y

In the file /etc/nginx/sites-available/default, change server_name to DOMAIN.

sudo service nginx reload
sudo certbot --nginx -d DOMAIN

Add the following line to your crontab file (through sudo crontab -e: M H * sudo certbot renew, where M is a number between 0 and 59 and H is a number between 0 and 23. This command ensures that every day, at the specified hour, the certificates will be updated automatically so that they don't expire.

On any current Ubuntu/Debian release, this is unnecessary both because the package is already available (python-certbot-nginx for 18.04) and because certbot automatically adds a systemd timer unit, which also randomizes the renewal time in the 12 hour window to avoid renewal congestion:

/lib/systemd/system/certbot.timer:

[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target

/lib/systemd/system/certbot.service:

[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true
fpereiro commented 4 years ago

Hi @mcdado ! Thank you for pointing this out, I wasn't aware of this!

If I understand correctly then, the following three lines:

sudo add-apt-repository ppa:certbot/certbot -y
sudo apt-get update
sudo apt-get install python-certbot-nginx -y

should be replaced by merely sudo apt-get install python-certbot-nginx -y

And then I should just get rid of the crontab entry. Did I understand correctly? If so, I'll amend the document.

Thank you!

mcdado commented 4 years ago

Yes, correct. The certbot command if launched by itself prompts for the plugin to be used and whether it should “install” the configuration, which means adding the configuration in the sites-enabled conf file. Otherwise you’d have to add them manually.

fpereiro commented 4 years ago

Just amended the documentation. I still left a note about adding the ppa for certbot for old versions of ubuntu (but removed altogether the cron entry). Thank you for the feedback, it's much appreciated!