Let's Encrypt!

The Mystery of the Unknown

For some reason I have been putting this off. I think SSL certs are a little mysterious to me. I don't completely understand the cert and chain relationship. What files do I need, what format do they need to be in? It's all a little confusing, especially when you just want to get your site deployed. It was intimidating enough that I have always just paid for the cert and let Namecheap and CPanel take care of it for me. That's fine when it's $7 for a year but when I want a cert for all my silly side projects and tests it's difficult to justify.

Dive In

I was working on a MQTT project for my Weewx weather station recently and wanted encryption, I also noticed that the certs for our family domain were getting ready to expire and so that seemed to provide the motivation I needed to finally dive in and dedicate some time to Let's Encrypt.

Certbot

So after a little research I found out that Let's Encrypt recomends Certbot when you have command line access. Clicking that link even gives you a pretty slick little guide on getting it working. I can not belive how easy Certbot is to use! I was able to grasp what was going on and get my certs installed in a matter of a few minutes. They even encourage you to add a cron job to automatically check and renew certs as needed. There are mechanisms to run scripts durring the process automatically. I added a script to copy my certs for Prosody to the correct directory after they are renewed automatically!

certbot certonly --webroot -w /var/www/example -d www.example.com --deploy-hook /usr/local/sbin/example-hook.sh

After seeing how easy this was I finally decided, after years of procrastinating, to setup NGINX as a reverse proxy with SSL for our Subsonic install. Again, done in minutes!

Cron Job

Then to automate the renewal you can run Certbot daily to check for any certs that need to be renewed. It will only renew the certs that are expiring in 30 days or less so no harm in just checking daily. It will automatically try to renew all the installed certs! I added a daily entry in my crontab with the follwoing command to check for renewals at 0210 everyday.

2 10 * * * /usr/bin/certbot renew

Just Deploy It!

I will never worry about certs for my personal domains again! Let's Encrypt has made this so much easier! In the future I can focus on deploying my new sites and apps without wondering about ssl and if it's worth the time and money etc. This could actually be enough of a motivation for me to move hosting providers for my clients. Consider yourselves warned Namecheap!