in Tutorials

Installing a free Let’s Encrypt SSL certificate on Server Pilot

I recently needed to create a live WooCommerce site for testing the API. But I needed SSL. And up until now, a proper SSL certificate cost money. Money I didn’t want to spend for a test site. But Let’s Encrypt recently entered public beta. And you know what’s cool about Let’s Encrypt? It’s a new certificate authority that is completely free – for anybody.

I couldn’t get the automated setup to run on my Server Pilot-powered Digital Ocean droplet (get $25 free credit with that link and I get $10 – win/win), so I had to do it manually. The good news is that it’s actually pretty easy. I’ll take you through it.

 

Screen Shot 2016-01-07 at 4.36.20 PM

Start by SSHing into your server. You may need to first ssh with the serverpilot user and then update the password for the root user, as at least in my case I needed to use root to create the certificate. So if you have any permission issues, try the root user.

Let’s say your server’s IP is 128.199.1.1.

ssh serverpilot@128.199.1.1

You then need to download Let’s Encrypt (instructions here updated in September 2016 based on this comment).

wget https://dl.eff.org/certbot-auto

If you’re using the serverpilot user, Let’s Encrypt will now be in the serverpilot user’s directory – /srv/users/serverpilot/.

You now need to stop nginx running.

sudo service nginx-sp stop

Time to create your free certificate!

./certbot-auto certonly

It’ll update itself and then ask you for the domain name(s).

 

Screen Shot 2016-01-07 at 4.48.23 PM

You could enter multiple domains, like if you wanted www and non-www certificates for your site, you’d enter: mysite.com, www.mysite.com.

It may also ask you some other info.

A moment later and you’ll be the proud owner of some new SSL certificates! Time to start nginx again:

sudo service nginx-sp start

You now need to modify your nginx configuration to use these certificates. First go to the folder that contains them.

cd /etc/nginx-sp/vhosts.d/

You then need to create a new file for it. If your app name is mysite for example, and when running ls in that folder you see a file called mysite.conf, you’ll want to type the following:

nano mysite.ssl.conf

Add the following to that file, changing mysite to your app name.

Save it, with ctrl + o and then exit with ctrl + x.

Restart nginx:

sudo service nginx-sp restart

And you’re done! Congratulations. You just beat the system. Sort of.

The one negative is that the SSL certificates expire every 3 months. I believe you’ll just need to follow the first couple steps and create a new SSL certificate with Let’s Encrypt. That should be all though, and I’m sure there will be auto-installation soon so it’s completely automated. You could also write a script and cron job to automate renewal. If you do, please let me know and I’ll share it here.

Renewing

Updated 21/03/2016 – Well, the original certificates that inspired this post were about to expire, and Let’s Encrypt kept emailing me to warn me, so I thought I better figure out how to renew them. Good news. It’s pretty easy and will take you just a moment.

Start by SSHing into your server. Go to where we installed Let’s Encrypt before, likely possibly by doing the following:

cd ~/srv/users/serverpilot/

You now need to stop nginx running.

sudo service nginx-sp stop

Then run through the certificate creation again. This will open up the Let’s Encrypt setup – just enter your domains like you did before.

./certbot-auto certonly

Once that’s done, your certificates are valid for another 3 months.

But wait! You need to restart nginx or nothing will work.

sudo service nginx-sp start

I still haven’t bothered to try write a script to auto renew it. There should be some floating around by now, so if you’re desperate / have a lot certificates, search around and you should find something.

Write a Comment

Comment

28 Comments

  1. This is awesome, but what about multiple domains under a multisite install, all part of the same Server Pilot app and all using different certificates? How do I go about adding more certificates for different domains to the same app .conf?

    • I have multisite and I use lets encrypt multiple domains by doing -d subdomain1.example.com -d subdomain2.example.com -d subdomain.example.com

      and add all the subdomains under server_name in the app.ssl.conf.

      I confirm it DOESN’T work. Not sure it doesn’t work for multiple domain or server pilot doesn’t allow you to do this anymore because i check netstat and it doesn’t open port 433 anymore, port 433 is used by sp-agent and sp-stats, not nginx-sp.

  2. Thanks for this helpful tutorial. successfully install lets encrypt for a subdomain!
    I just need to set up auto renewal now and was wondering if this crontab will work?

    certbot renew –standalone –pre-hook “service nginx-sp stop” –post-hook “service nginx-sp start”

  3. Hello, for some reason whenever I run:
    “./letsencrypt-auto certonly –standalone”
    I get the following message:
    “-bash: ./letsencrypt-auto: No such file or directory”
    I tried it in both Serverpilot and Root.

    Thanks!

  4. I had successfully used this to create for a domain on a DO Droplet last month. However, now I am trying for a sub domain on a different droplet and it is throwing up this error:

    /root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.

    Troubleshooting:
    Tried to remove and add python 2.x from Ubuntu 14.04.
    Tried with different users (ubuntu, serverpilot etc)
    Followed the link https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning

    It would be great if any pointers could help me solve the issue!

      • Resolved! I took the below steps to fix this issue:
        1. Login as root or use sudo on host
        2. Go to https://certbot.eff.org/ in a browser window
        3. Select from the dropdown options (webserver–> ngninx & Operating system –> Ubuntu Trusty) in https://certbot.eff.org/ page
        4. Follow onscreen steps and get the certificate (should install cert in /etc/letsencrypt/live/yoursite/)
        5. Change to cd /etc/nginx-sp/vhosts.d/ (you may stop webserver sudo service nginx-sp stop)
        6. Create a ssl conf nano mysite.ssl.conf
        7. Test nginx: sudo nginx-sp -t
        8. Restart Ngninx – sudo service nginx-sp restart
        9. Add redirect https plugin (in wordpress)

  5. Hi and thanks for a great tutorial Mate! I´m using a serverpilot install on glesys for a wordpress site and logged in as root i get fatal: unable to access ‘https://github.com/letsencrypt/letsencrypt/’: Could not resolve host: github.com

    Any thoughts on this?? 🙂

    Dave

    • Sounds like something’s blocking your server’s connection to GitHub. Is it a new server? Try creating a new one from scratch and giving it a go. If that doesn’t work, you may need to get in touch with Server Pilot. Cheers! 🙂

  6. Thanks for your post. When I try this, I’m getting a permission denied error on the ./certbot-auto certonly. Has something changed? I’m running ServerPilot on Vultr with Ubuntu 14.04 x64, but I think it should be the same. Right?

    Thanks!