Free SSL certificates on Digital Ocean with Letsencrypt
Quick Start
Important Notes:
- Using Digital Ocean droplet 5$/month tier
- CentOS 7
- Apache (I am assuming this is already installed and running)
- May need sudo in front of these commands if you created a non-root user
- Install EPEL (Project Site):
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm # may need `yum install wget` yum install epel-release-latest-7.noarch.rpm
- Install
certbot
(Project Site for CentOS/Apache):yum install python-certbot-apache certbot --apache # follow prompts, I force SSL
- Auto-renewal (because we are lazy, modified slightly from Arch Wiki Let’s
Encrypt):
-
The one-shot service which runs the renewal
/etc/systemd/system/certbot.service
:[Unit] Description=Let's Encrypt renewal [Service] Type=oneshot ExecStart=/usr/bin/certbot renew --quiet --agree-tos
-
The
certbot.service
will check for an expired certificate and install a new one only if necessary. Certbot recommends that you check twice a day with a random 60 minute delay, we do that with/etc/systemd/system/certbot.timer
:[Unit] Description=Daily renewal of Let's Encrypt's certificates [Timer] Persistent=true OnBootSec=10min OnUnitActiveSec=12hour RandomizedDelaySec=1hour [Install] WantedBy=timers.target
-
Enable and start the timer:
systemctl enable certbot.timer systemctl start certbot.timer
-
- Shortly after posting this I noticed that URLs which don’t exist yield an
SSL error. I had to correct the vhost in
/etc/httpd/conf.d/le-redirect-www.chiroptical.com\:443.conf
. Just change the line:ServerAlias www.chiroptical.com
toServerAlias www.chiroptical.com chiroptical.com
(obviously using your site name). This may have been because I already set this up previously using the non-certbot
version of letsencrypt, but I don’t remember where I did that.
Congratulations on your automatically renewed and free SSL certificates :)