I recently needed to create a live WooCommerce site for testing the API. But I needed SSL. And up until now, a proper SSL certificate cost money. Money I didn’t want to spend for a test site. But Let’s Encrypt recently entered public beta. And you know what’s cool about Let’s Encrypt? It’s a new certificate authority that is completely free – for anybody.
I couldn’t get the automated setup to run on my Server Pilot-powered Digital Ocean droplet (get $25 free credit with that link and I get $10 – win/win), so I had to do it manually. The good news is that it’s actually pretty easy. I’ll take you through it.
Start by SSHing into your server. You may need to first ssh with the serverpilot user and then update the password for the root user, as at least in my case I needed to use root to create the certificate. So if you have any permission issues, try the root user.
Let’s say your server’s IP is 128.199.1.1.
ssh serverpilot@128.199.1.1
You then need to download Let’s Encrypt (instructions here updated in September 2016 based on this comment).
wget https://dl.eff.org/certbot-auto
If you’re using the serverpilot user, Let’s Encrypt will now be in the serverpilot user’s directory – /srv/users/serverpilot/.
You now need to stop nginx running.
sudo service nginx-sp stop
Time to create your free certificate!
./certbot-auto certonly
It’ll update itself and then ask you for the domain name(s).
You could enter multiple domains, like if you wanted www and non-www certificates for your site, you’d enter: mysite.com, www.mysite.com.
It may also ask you some other info.
A moment later and you’ll be the proud owner of some new SSL certificates! Time to start nginx again:
sudo service nginx-sp start
You now need to modify your nginx configuration to use these certificates. First go to the folder that contains them.
cd /etc/nginx-sp/vhosts.d/
You then need to create a new file for it. If your app name is mysite for example, and when running ls
in that folder you see a file called mysite.conf, you’ll want to type the following:
nano mysite.ssl.conf
Add the following to that file, changing mysite to your app name.
Save it, with ctrl + o and then exit with ctrl + x.
Restart nginx:
sudo service nginx-sp restart
And you’re done! Congratulations. You just beat the system. Sort of.
The one negative is that the SSL certificates expire every 3 months. I believe you’ll just need to follow the first couple steps and create a new SSL certificate with Let’s Encrypt. That should be all though, and I’m sure there will be auto-installation soon so it’s completely automated. You could also write a script and cron job to automate renewal. If you do, please let me know and I’ll share it here.
Renewing
Updated 21/03/2016 – Well, the original certificates that inspired this post were about to expire, and Let’s Encrypt kept emailing me to warn me, so I thought I better figure out how to renew them. Good news. It’s pretty easy and will take you just a moment.
Start by SSHing into your server. Go to where we installed Let’s Encrypt before, likely possibly by doing the following:
cd ~/srv/users/serverpilot/
You now need to stop nginx running.
sudo service nginx-sp stop
Then run through the certificate creation again. This will open up the Let’s Encrypt setup – just enter your domains like you did before.
./certbot-auto certonly
Once that’s done, your certificates are valid for another 3 months.
But wait! You need to restart nginx or nothing will work.
sudo service nginx-sp start
I still haven’t bothered to try write a script to auto renew it. There should be some floating around by now, so if you’re desperate / have a lot certificates, search around and you should find something.
This is awesome, but what about multiple domains under a multisite install, all part of the same Server Pilot app and all using different certificates? How do I go about adding more certificates for different domains to the same app .conf?
Honestly I’m not sure as I haven’t had to do this. I assume there would be a way.
I have multisite and I use lets encrypt multiple domains by doing -d subdomain1.example.com -d subdomain2.example.com -d subdomain.example.com
and add all the subdomains under server_name in the app.ssl.conf.
I confirm it DOESN’T work. Not sure it doesn’t work for multiple domain or server pilot doesn’t allow you to do this anymore because i check netstat and it doesn’t open port 433 anymore, port 433 is used by sp-agent and sp-stats, not nginx-sp.
Are there any changes to the tutorial now that Letsencrypt is out of Beta?
Thanks!
Nope, I used it the other day without any issues! 😃 if you run into any, let me know.
How will this work with multiple domains on the same VPS?
Shouldn’t be any issue – I had 2 or 3 on one VPS I setup. Just repeat the tutorial for each domain.
Hey, this is really good, I just have one question, this is on their paid plan or you were still using the free with a manually installed certificate?
Thanks! Yep, free plan as it’s all manual installation through SSH.
Thanks for this helpful tutorial. successfully install lets encrypt for a subdomain!
I just need to set up auto renewal now and was wondering if this crontab will work?
certbot renew –standalone –pre-hook “service nginx-sp stop” –post-hook “service nginx-sp start”
I haven’t tried yet but give it a try and let us know how you go 😃
Hello, for some reason whenever I run:
“./letsencrypt-auto certonly –standalone”
I get the following message:
“-bash: ./letsencrypt-auto: No such file or directory”
I tried it in both Serverpilot and Root.
Thanks!
That sounds like let’s encrypt wasn’t installed properly, maybe try start the tutorial again?
I had successfully used this to create for a domain on a DO Droplet last month. However, now I am trying for a sub domain on a different droplet and it is throwing up this error:
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
Troubleshooting:
Tried to remove and add python 2.x from Ubuntu 14.04.
Tried with different users (ubuntu, serverpilot etc)
Followed the link https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
It would be great if any pointers could help me solve the issue!
I’m not too sure, sorry! Hopefully another reader has a better idea and will comment with some help 🙂
Resolved! I took the below steps to fix this issue:
1. Login as root or use sudo on host
2. Go to https://certbot.eff.org/ in a browser window
3. Select from the dropdown options (webserver–> ngninx & Operating system –> Ubuntu Trusty) in https://certbot.eff.org/ page
4. Follow onscreen steps and get the certificate (should install cert in /etc/letsencrypt/live/yoursite/)
5. Change to cd /etc/nginx-sp/vhosts.d/ (you may stop webserver sudo service nginx-sp stop)
6. Create a ssl conf nano mysite.ssl.conf
7. Test nginx: sudo nginx-sp -t
8. Restart Ngninx – sudo service nginx-sp restart
9. Add redirect https plugin (in wordpress)
Great 🙂 Thanks for sharing!
Hi and thanks for a great tutorial Mate! I´m using a serverpilot install on glesys for a wordpress site and logged in as root i get fatal: unable to access ‘https://github.com/letsencrypt/letsencrypt/’: Could not resolve host: github.com
Any thoughts on this?? 🙂
Dave
Sounds like something’s blocking your server’s connection to GitHub. Is it a new server? Try creating a new one from scratch and giving it a go. If that doesn’t work, you may need to get in touch with Server Pilot. Cheers! 🙂
Might want to update your article to reflect the new client name `certbot-auto` instead of `letsencrypt-auto`
`wget https://dl.eff.org/certbot-auto`
`./certbot-auto certonly`
https://github.com/certbot/certbot
“Until May 2016, Certbot was named simply letsencrypt or letsencrypt-auto, depending on install method. Instructions on the Internet, and some pieces of the software, may still refer to this older name.”
Thanks! I updated it. Do the instructions work now?
Not quite, you are still saying:
git clone https://github.com/certbot/certbot
it is not a git repo and wget should be used as @kenyonkowal commented:
wget https://dl.eff.org/certbot-auto
Ah, cheers! Fixed.
Thanks for your post. When I try this, I’m getting a permission denied error on the ./certbot-auto certonly. Has something changed? I’m running ServerPilot on Vultr with Ubuntu 14.04 x64, but I think it should be the same. Right?
Thanks!
Hmm, I haven’t tested recently but maybe try with sudo?
Try this:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto
Sorry,
./certbot-auto certonly
Thank you, it works perfectly.