This guide talks about Certbot and is related to Nginx running on Arch Linux, because that’s what I use 🙂
- Install certbot and certbot-nginx packages:
sudo pacman -S certbot certbot-nginx
- Check you have a certificate file in /etc/ssl/certs/ca-certificates.crt. If not, search for a valid one in your system or create a new self-signed one. In Arch you can use the one in /etc/ca-certificates/extracted/ca-bundle.trust.crt. So, if you miss it, just create a symbolic link:
sudo ln -s /etc/ca-certificates/extracted/ca-bundle.trust.crt /etc/ssl/certs/ca-certificates.crt
- Run certbot. It’s magic and will do everything for us, just follow the simple instructions on screen:
sudo certbot --nginx
- At this point your website(s) has a valid SSL certificate up and running. Let’s set up a Systemd service which will do the renewal for us automatically.
- Create a Systemd service file in /etc/systemd/system/certbot.service with this content:
[Unit] Description=Let's Encrypt renewal [Service] Type=oneshot ExecStart=/usr/bin/certbot renew --quiet --agree-tos ExecStartPost=/bin/systemctl reload nginx.service
- Create a Systemd timer file in /etc/systemd/system/certbot.timer with this content:
[Unit] Description=Twice daily renewal of Let's Encrypt's certificates [Timer] OnCalendar=0/12:00:00 RandomizedDelaySec=1h Persistent=true [Install] WantedBy=timers.target
- Reload the Systemd services with
sudo systemctl daemon-reload
- Enable the timer with
sudo systemctl enable certbot.timer
Done! You just set up a free SSL certificate and the auto renewal services on Systemd, that will run twice a day (at a random second of the minute).
Warning: if this SSL certificate is critical for your business, don’t rely on auto-renewal. Instead set-up a reminder in your calendar few days before the expire date.