What is Let’s Encrypt?
'Let’s Encrypt' is a new certificate authority that provides free secure certificates to help get the Internet to 100% HTTPS. View the following link for more information about 'Let's Encrypt'.
DreamHost has integrated 'Let’s Encrypt' support into the panel for hosted services, but if you want to set up automatically-renewing certificates for domains you host on a DreamCompute instance, you’ll need to do a little bit of manual installation. But the good news is, it doesn’t take long, and once you finish the setup, you should never have to worry about renewing a certificate ever again!
Get the code
First, log into your DreamCompute instance. It shouldn’t matter too much which distribution of Linux you’re running, but make sure you have the
git package installed so that you can clone the letsencrypt repository, like so:
[user@instance]$ sudo -s [root@instance]# cd /opt [root@instance]# git clone git://github.com/certbot/certbot
Get your first certificate
Before you do this, you’ll need to make sure that your domain is actually pointing at your DreamCompute instance’s IP address, and that your webserver is configured to respond to requests for your domain name. This is required because 'Let’s Encrypt' performs checks to make sure that you control domain names that you request certificates for. If you haven't already done this, check out DreamHost's article below for assistance.
Let’s say that you have
example.com configured with a DNS
A record pointing at the IP address for your instance, and you have
nginx configured properly to respond to requests for
example.com. (Configuring your webserver is of out of the scope of this guide, but there are plenty of tutorials out there.)
If you’re using
nginx on a Debian or Ubuntu instance, you can use the nginx plugin for certbot-auto as shown below.
[root@instance]$ /opt/certbot/certbot-auto --nginx -d example.com
This will prompt you for some information including your email address. Fill it in with valid information and you should get a new certificate. You shouldn't even need to restart your webserver or modify a configuration file, as the nginx plugin for certbot-auto was designed to handle that for you.
Adding a subdomain to an existing certificate
If after running that script you realize that you also need a certificate for a related subdomain, you can run the certbot-auto command again with additional parameters.
[root@instance]$ /opt/certbot/certbot-auto --nginx -d example.com -d sub.example.com
You can have your system automatically renew all of the certificates for you using a small shell script which looks like this:
#!/bin/bash /opt/certbot/certbot-auto renew
If you save that script in the /usr/local/bin directory as something like update_certs, you can schedule the script to run once a week with cron like so:
30 0 * * 0 /usr/local/bin/update_certs
Now, your system attempts to renew all of your certificates once a week. If there are no certificates in danger of expiring soon, nothing bad happens. But if any would have otherwise expired, then they get renewed automatically.