Quick Start

Important Notes:

  • Using Digital Ocean droplet 5$/month tier
  • CentOS 7
  • Apache (I am assuming this is already installed and running)
  • May need sudo in front of these commands if you created a non-root user
  1. Install EPEL (Project Site):
    wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm # may need `yum install wget`
    yum install epel-release-latest-7.noarch.rpm
  2. Install certbot (Project Site for CentOS/Apache):
    yum install python-certbot-apache
    certbot --apache # follow prompts, I force SSL
  3. Auto-renewal (because we are lazy, modified slightly from Arch Wiki Let's Encrypt):

    • The one-shot service which runs the renewal /etc/systemd/system/certbot.service:
    [Unit]
    Description=Let's Encrypt renewal
    
    [Service]
    Type=oneshot
    ExecStart=/usr/bin/certbot renew --quiet --agree-tos
    • The certbot.service will check for an expired certificate and install a new one only if necessary. Certbot recommends that you check twice a day with a random 60 minute delay, we do that with /etc/systemd/system/certbot.timer:
    [Unit]
    Description=Daily renewal of Let's Encrypt's certificates
    
    [Timer]
    Persistent=true
    OnBootSec=10min
    OnUnitActiveSec=12hour
    RandomizedDelaySec=1hour
    
    [Install]
    WantedBy=timers.target
    • Enable and start the timer:
    systemctl enable certbot.timer
    systemctl start certbot.timer
  4. Shortly after posting this I noticed that URLs which don't exist yield an SSL error. I had to correct the vhost in /etc/httpd/conf.d/le-redirect-www.barry-moore-ii.com\:443.conf. Just change the line: ServerAlias www.barry-moore-ii.com to ServerAlias www.barry-moore-ii.com barry-moore-ii.com (obviously using your site name). This may have been because I already set this up previously using the non-certbot version of letsencrypt, but I don't remember where I did that.

Congratulations on your automatically renewed and free SSL certificates :)