Why You Should Use WebRoot Plugin to Obtain Let’s Encrypt TLS Certificate
For those who don’t know Let’s Encrypt, it’s a free, automated (to some extent) and open certificate authority that issues domain-validated TLS certificates. Visit Wikipedia for more if you haven’t heard of it before. This article explains why you should and how to use webroot plugin to obtain and renew TLS certificate from Let’s Encrypt.
How to Install Let’s Encrypt Client
First, install Let’s Encrypt client (renamed to certbot) on your Linux server with the following commands. It works on pretty much every server Linux distribution.
Download certbot-auto from EFF website.
wget https://dl.eff.org/certbot-auto
Give execute permission.
chmod a+x certbot-auto
Move it to user’s PATH, like /usr/local/bin/ and rename it to certbot.
sudo mv certbot-auto /usr/local/bin/certbot
So now we can use certbot command. 
Plugins
Let’s Encrypt client provides 3 plugins for different web servers.
- apache plugin
- webroot plugin
- standalone plugin
Let’s Encrypt support auto-configuration for Apache web server with the apache plugin. So you just need to enter one line of command, reload your web page and you have switched to HTTPS.
Webroot plugin is provided for other web servers. When using this plugin, Let’s Encrypt client is requested by Let’s Encrypt CA server to put some files under /web-root-path/.well-known/acme-challenge to prove control of domain name.
The standalone plugin is used when there’s no web server running on your server. It starts an standalone web server to talk to Let’s Encrypt.
Which Plugin Should You Use?
The problem with a standalone web server is that you need to stop your running web server (Apache, Nginx or other) to release port 80 and port 443. It causes down time when obtaining and renewing the certificate.
And the problem with both apache and standalone plugin is that they don’t support websites that are behind CDN (Content Delivery Network). When using apache or standalone plugin, Let’s Encrypt client is required to configures a TLS server referenced by an A/AAAA record under the
domain name to respond to specific connection attempts utilizing the Server Name Indication extension.
If your website is behind CDN, Let’s Encrypt client is required to configure a TLS server on your CDN provider’s edge server instead of your origin server. So it’s bound to fail. You can temporarily disable CDN, but doing so exposes your server’s IP to the outside world. Besides, your TLS certificate can’t be renewed in an automatic fashion.
Webroot plugin is the best because you don’t need to stop a running web server and it will work when your site is behind CDN. The reason is that it proves control over a domain name by placing a unique file in web root, instead of configuring a TLS server. With webroot plugin, you simply need to configure your web server to use TLS, set up cron job to automatically renew certificate, then you can just forget about it and do your other work.
If you use Apache server only and don’t need CDN, you can completely automate the obtaining and renewing process with the apache plugin. But if you use other web servers or you do use CDN, then using webroot plugin to obtain and renew certificate is your best option.
How to Obtain TLS Certificate Using Webroot Plugin?
No matter which web server you use, you can always use the following command to obtain a TLS cert. Suppose your web root is /var/www/your-domain.com/, run the following command to obtain certificate.
sudo certbot certonly --webroot --agree-tos --email your-email address -d your-domain.com -w /var/www/your-domain.com/
Explanation:
- certonly tells certbot to obtain the cert only, don’t install it.
- –webroot option specifies the webroot plugin is being used.
- –agree-tos means agree Let’s Encrypt’s terms of service.
- email address is used to receive expiry notice from Let’s Encrypt and can also be used to recover lost key.
- -d option specifies the domain name.
- -w option specifies the web root path.
You can enter multiple sub-domains like below as long as your web server can direct Let’s Encrypt validation server to the correct web root.
-d your-domain.com -d www.your-domain -w /var/www/your-domain
You can also enter multiple root domains like below as long as your web server can direct Let’s Encrypt validation server to the correct web root.
-d your-domain.com -w /var/www/your-domain.com -d your-domain.org -d www.your-domain.org -w /var/www/your-domaim.org
All these domains will be listed in one certificate. You certificate and private key will be saved at /etc/letsencrypt/archive/your-domain.com/ directory. Certbot also creates symlinks at /etc/letsencrypt/live/your-domain.com/ that points to each file in the archive directory.
Once the certificate is obtained, let’s install it manually.
How to Install TLS Certificate in Apache
First, edit your virtual host file.
sudo nano /etc/apache2/sites-available/your-domain.com.conf
Add the following lines above </VirutalHost>.
RewriteEngine on
RewriteCond %{SERVER_NAME} =your-domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
The 3 lines tells Apache to always redirect visitors to the HTTPS version of your site. Save and close the file. Then create a virtual host file for the HTTPS version of your site.
sudo nano /etc/apache2/sites-available/your-domain.com-https.conf
Put the following lines in the file.
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/your-domain/ ServerName your-domain.com ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>
Save and close the file. Then enable the HTTPS version of your site.
sudo a2ensite your-domain.com-https.conf
And reload Apache.
sudo systemctl reload apache2
Now visit your site in your browser and you will see a green lock.
How to Install TLS Certificate in Nginx
Open your Nginx server block file.
sudo nano /etc/nginx/confi.d/your-domain.com.conf
Edit the file like below.
server {
listen 80;
server_name your-domain.com;
return 301 https:$server_name$request_uri;
}
server {
listen 443 ssl;
server_name your-domain.com;
root /var/www/your-domain/;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
...
Your custom directives goes here.
...
}
Save and close the file. Then test Nginx configs and reload.
sudo nginx -t sudo systemctl reload nginx
If you are using Nginx 1.9.5 and above, you can add http2 directive after listen 443 ssl like below to enable HTTP/2 protocol, which can significantly speed up communications between your web server and client’s web browser.
listen 443 ssl http2;
What About Email Server?
Email server itself can’t talk to Let’s Encrypt validation server. We can still use webroot plugin to obtain a certificate for email server. All you need to to is create an Apache virtual host or Nginx server block for your email server’s FQDN (fully qualified domain name)
So, if your email server’s FQDN is mail.your-domain.com, then the ServerName in Apache virtual host file should be mail.your-domain.com. And the server_name in Nginx server block file should be mail.your-domain.com. Make sure that you create a web root and set the web server user (www-data) as the owner.
Once that’s done, use certbot command and webroot plugin to obtain the TLS certificate. For information about how to install TLS certificate in Postfix SMTP server and Dovecot IMAP server, please check out the following tutorial.
How to Renew TLS Certificate Obtained with Webroot Plugin?
Let’s Encrypt issued TLS certificate expires after 90 days. To renew your certificate, simply run:
sudo certbot renew
The renew subcommand checks if 60 days have passed since the issuing date of your certificate. If not, it will tell you that you don’t need to renew. If your certificate is going to expire in 30 days, then it will read a renewal configuration file stored at /etc/letencrypt/renewal/your-domain.conf and renew your cert. The renewal config file tells certbot which plugin and what parameters you used when first obtaining the cert.
So the above renew command is actually the same with the following command:
sudo certbot certonly --webroot --agree-tos --email your-email address -d your-domain.com -w /var/www/your-domain.com/
You can force renew certificate with --force-renewal option. And you may need to reload your web server in order to present the new certificate to clients.
sudo systemctl reload apache2
or
sudo systemctl reload nginx
Auto Renewing Certificate
To auto renew your certificate, you simply need to edit root user’s crontab file in one of the following ways.
su - crontab -e
or
sudo crontab -e
And put the following line at the end of the file.
@daily certbot renew --quiet
Save and close the file. The renewal command executes once per day. --quiet silence all output except errors. Don’t worry about renewal failure, certbot will try to renew it every day.
Even if every auto renew failed, you will get an expiry notice from Let’s Encrypt in your email address once your cert is about to expire in less than 20 days. (This figure may vary, but you will get the notice before it expires.) Then you can manually enter the renewal command, figure out what’s wrong in the auto renew process, fix the error and renew your cert.
You might also need to reload your web server, so your cron job will be:
@daily certbot renew --quiet && systemctl reload apache2
or
@daily certbot renew --quiet && systemctl reload nginx
And you can also add a MAILTO line at the top of cron file to send errors to your email address. No errors means all certificates are renewed successfully.
[email protected]
What if I used Apache or Standalone Plugin to Obtain Certificate?
No matter what plugin is used to obtain the certificate, you can always renew your cert using webroot plugin like below.
sudo certbot certonly --webroot --agree-tos --email your-email address -d your-domain.com -w /var/www/your-domain.com/
The renewal configuration file will be changed to reflect the fact that you use webroot this time. And next time you can just enter sudo certbot renew to renew your certificate.
How to Know What plugin I used when Obtaining Certificate?
If you don’t remember which plugin you used, there’s an easy way. First, switch to the root user.
su -
Then open your renewal config file.
nano /etc/letsencrypt/renewal/your-domain.com.conf
Find the line that start with authenticator.
authenticator = standalone
This lines means you used the standalone plugin to obtain your cert.
authenticator = apache
This line means you used apache plugin to obtain your cert.
authenticator = webroot
This line means you used webroot plugin to obtain your cert.
That’s it!
As always, if you found this post useful, then subscribe to our free newsletter. You can also follow us on Google+, Twitter or like our Facebook page.
Hi,
Thanks for the clear tutorial.
For those who have already a full nginx config, It’s could be useful to add that is needed to add on the nginx conf file:
location ~ /.well-known {
allow all;
}
Regards,