Jump to: navigation, search

Certbot is a ACEM client to get SSL certificates for web server, to make a website accessible through HTTPS. Certbot, by default, get certificates from Let's Encrypt, the most popular free CA.

Install Certbot

sudo zypper install python3-certbot 

If you are using Apache web server, install this plugin:

sudo zypper install python3-certbot-apache

If you are using NGINX web server, install this plugin:

sudo zypper install python3-certbot-nginx

Certbot a client of an online service and the API might change at anytime. We recommend using the latest openSUSE Leap release or Tumbleweed, to get newer Python and Certbot. Latest Leap is usually shipped with a little older Certbot, which should work without problem. However, if you encounter issues, try latest version from openSUSE Build Service:

opi python3-certbot

Get certificates for Apache/NGINX

Let's say you have a website http://example.com/ powered by Apache/NGINX, and you want to enable HTTPS for it. Before running Certbot, make sure you have a valid Apache/NGINX virtual host config at /etc/apache2/vhosts.d/example.com.conf or /etc/nginx/vhosts.d/example.com.conf.

NGINX is not only used to serve static files and run cgi, but also used as a proxy to forward requests to Node.js or Go app. NGINX handles SSL, IPv4/IPv6, much better than Node.js or Go. It also enables you to run multiple web apps sharing the same 80/443 ports.

Run this command and follow the instruction, Certbot will install certificates and update Apache/NGINX config automatically:

sudo certbot run

You do NOT need to restart Apache or Nginx server. Certbot does it for you!

If you are using other web server with no plugin support, you generate certificates only and manually configure your web server:

sudo certbot certonly

Setup auto-renew

Certificates issued by Let's Encrypt will expire in 3 month. If you forget to renew certificates, your website will be inaccessible. If you don't want to waste time on this, you can setup a systemd timer or cron job to automatically run renew command.

Systemd way:

sudo zypper install certbot-systemd-timer
sudo systemctl enable certbot-renew.timer
sudo systemctl start certbot-renew.timer

Cron way:

sudo crontab -e
21 07 22 * * root /usr/bin/certbot renew

This will run renew every day at 22:07:21. You should use a different random time to avoid that everyone renew at the same time and crash Let's Encrypt server.

Test in browser

Open your web browser, visit your website start with "https://" and see if the website works fine.

You can also test your website on SSL Labs.

Internal links

External links