Free and easy SSL certificate for your website

This guide talks about Certbot and is related to Nginx running on Arch Linux, because that’s what I use 🙂

  1. Install certbot and certbot-nginx packages: sudo pacman -S certbot certbot-nginx
  2. Check you have a certificate file in /etc/ssl/certs/ca-certificates.crt. If not, search for a valid one in your system or create a new self-signed one. In Arch you can use the one in /etc/ca-certificates/extracted/ca-bundle.trust.crt. So, if you miss it, just create a symbolic link: sudo ln -s /etc/ca-certificates/extracted/ca-bundle.trust.crt /etc/ssl/certs/ca-certificates.crt
  3. Run certbot. It’s magic and will do everything for us, just follow the simple instructions on screen: sudo certbot --nginx
  4. At this point your website(s) has a valid SSL certificate up and running. Let’s set up a Systemd service which will do the renewal for us automatically.
  5. Create a Systemd service file in /etc/systemd/system/certbot.service with this content:
    [Unit]
    Description=Let's Encrypt renewal
    
    [Service]
    Type=oneshot
    ExecStart=/usr/bin/certbot renew --quiet --agree-tos
    ExecStartPost=/bin/systemctl reload nginx.service
  6. Create a Systemd timer file in /etc/systemd/system/certbot.timer with this content:
    [Unit]
    Description=Twice daily renewal of Let's Encrypt's certificates
    
    [Timer]
    OnCalendar=0/12:00:00
    RandomizedDelaySec=1h
    Persistent=true
    
    [Install]
    WantedBy=timers.target
  7. Reload the Systemd services with sudo systemctl daemon-reload
  8. Enable the timer with sudo systemctl enable certbot.timer

Done! You just set up a free SSL certificate and the auto renewal services on Systemd, that will run twice a day (at a random second of the minute).

Warning: if this SSL certificate is critical for your business, don’t rely on auto-renewal. Instead set-up a reminder in your calendar few days before the expire date.

Enjoy 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *