What is Let’s Encrypt?
Let’s Encrypt is a new certificate authority that provides absolutely free secure certificates to help get the Internet to 100% HTTPS on the Internet.
DreamHost has integrated Let’s Encrypt support into its panel for hosted services, but if you want to set up automatically-renewing certificates for domains you host on a DreamCompute instance, you’ll need to do a little bit of manual installation. But the good news is, it doesn’t take long, and once you finish the setup, you should never have to worry about renewing a certificate ever again!
Get the packages
Start by logging into your DreamCompute instance. These instructions are for Ubuntu, and the commands may change depending on what distribution of Linux you’re running. Install the certbot package like so:
[user@instance]$ sudo apt install certbot python3-certbot-apache -y
Get your first certificate
Before you do this, you’ll need to make sure that your domain is actually pointing to your DreamCompute instance’s IP address, and that your instance is configured to respond to requests for your domain name. This is required because 'Let’s Encrypt' performs checks to make sure that you control domain names that you request certificates for. If you have not already done this, view the article below for assistance:
You must also make sure that you have Apache already configured properly to respond to requests for example.com.
Once your site is configured and responding to the default Apache page, proceed with ordering the certificate like so:
[user@instance]$ sudo certbot --apache -d example.com
This will prompt you for some information including your email address. The last question you're asked is if you want to redirect all traffic to the https version of your site's URL. It's highly recommended that you choose to do this. Type the number '2' to choose this option. For example:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/example.com.conf to ssl vhost in /etc/apache2/sites-available/example.com-le-ssl.conf
This will finalize your new certificate. You shouldn’t even need to restart your instance or modify a configuration file as the Apache plugin for certbot was designed to handle this for you.
Adding a subdomain to an existing certificate
If after running that script you realize that you also need a certificate for a related subdomain, you can run the certbot command again with additional parameters.
[user@instance]$ sudo certbot --apache -d example.com -d sub.example.com
Automatic renewal
You can have your system automatically renew all of the certificates for you using a small shell script which looks like this:
#!/bin/bash certbot renew
If you save that script in the /usr/local/bin directory as something like update_certs, you can schedule the script to run once a week with a cron job like so:
30 0 * * 0 /usr/local/bin/update_certs
Now, your system attempts to renew all of your certificates once a week. If there are no certificates in danger of expiring soon, nothing bad happens. But if any would have otherwise expired, then they get renewed automatically.
