How to install Let's Encrypt Nginx plugin DigitalOcean plugin on Ubuntu 18.04

Install certbot client

tuenhai@ubuntu18.04:~$ sudo apt update
$ sudo apt install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update
$ sudo apt-get install certbot python-certbot-nginx

Install digitalocan plugin on Ubuntu 18.04

$ sudo apt-get install python3-certbot-dns-digitalocan
$ certbot plugins

Create token on digitalocean

create a token on digitalocean.com with write access, then:

tuenhai@ubuntu:~$ mkdir -p ~/.secrets/certbot
$ echo 'dns_digitalocean_token=token' > ~/.secrets/certbot/digitalocean.ini
$ chmod 600 ~/.secrets/certbot/digitalocean.ini

Check nginx site configuration

$ sudo vi /etc/nginx/sites-available/tuenhai.com

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name tuenhai.com www.tuenhai.com;

    add_header Strict-Transport-Security max-age=31536000;

    access_log /home/tuenhai.com/logs/tuenhai_access.log;
    error_log /home/tuenhai.com/logs/tuenhai_error.log;

    root /home/tuenhai.com/public;
    index index.html index.htm;
}

server {
    listen 80;
    listen [::]:80;
    server_name tuenhai.com www.tuenhai.com;
}

Run certbot command to set SSL automatically

tuenhai@ubuntu:~$ sudo certbot --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini --dns-digitalocean-propagation-seconds 120 -i nginx -d "*.tuenhai.com" -d tuenhai.com --server https://acme-v02.api.letsencrypt.org/directory

Check SSL configuration

$ sudo vi /etc/nginx/sites-available/tuenhai.com

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name tuenhai.com www.tuenhai.com;

    add_header Strict-Transport-Security max-age=31536000;

    access_log /home/tuenhai.com/logs/tuenhai_access.log;
    error_log /home/tuenhai.com/logs/tuenhai_error.log;

    root /home/tuenhai.com/public;
    index index.html index.htm;

    ssl_certificate /etc/letsencrypt/live/tuenhai.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tuenhai.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = tuenhai.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host ~ ^[^.]+\.tuenhai\.com$) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name tuenhai.com www.tuenhai.com;
}

SSL_ERROR_RX_RECORD_TOO_LONG

Check SSL settings, it should be:

	# no 'ssl on'
    listen 443 ssl;
    listen [::]:443 ssl;

Test SSL renew

tuenhai@ubuntu:~$ sudo certbot renew --dry-run

Cron Job

$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

The above crob job will be executed every 12 hours. If the file /usr/bin/certbot has the execution permission and there is no dir /run/systemd/system it will execute the renew command

systemd timer

You can check your systemd timers using command systemctl list-timers

$ systemctl list-timers
NEXT                         LEFT          LAST                         PASSED       UNIT                         ACTIVATES
Thu 2019-07-11 04:27:49 UTC  3h 53min left Wed 2019-07-10 22:58:52 UTC  1h 35min ago certbot.timer                certbot.service

The certbot timer should be here /lib/systemd/system/certbot.timer and it will execute the command specified here /lib/systemd/system/certbot.service

certbot.timer will execute the certbot.service at 12 am and 12 pm.

$ cat /lib/systemd/system/certbot.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

Some tips

  • Used certbot renew --force-renewal. Verified that certificates were renewed without user interaction.
  • /var/log/letsencrypt/letsencrypt.log
  • /etc/letsencrypt/renewal/tuenhai.com.conf

Reference:

  • https://devops.stackexchange.com/questions/3757/how-to-install-certbot-plugins
  • https://certbot-dns-digitalocean.readthedocs.io/en/latest/
  • https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx
任何人生疑惑,请找 海云青飞 https://tuenhai.com