CertBots

Most reverse proxies in Docker and Kubernetes support automatic certificates renewal such as Traefik and cert-manager.

However, there are times when Linux based VM is used instead of containers and require automated SSL certificates from LetsEncrypt.

CertBot streamlines the certificate request and renewal process.

Installation

• $ Snap

1. sudo snap install --classic certbot
2. Ensure certbot can be run
   sudo ln -s /snap/bin/certbot /usr/bin/certbot
3. Acknowledge that installed plugin will have same classic containment as Certbot snap
   sudo snap set certbot trust-plugin-with-root=ok
4. Install Cloudflare Certbot plugin
   sudo snap install certbot-dns-cloudflare

• $ Python

1. Install dependencies
   sudo apt update; sudo apt install python3 python3-venv libaugeas0
2. Create python virtual environment
   sudo python3 -m venv /opt/certbot/
3. Update pip in virtual environment
   sudo /opt/certbot/bin/pip install --upgrade pip
4. Install CertBot in virtual environment
   sudo /opt/certbot/bin/pip install certbot
5. Create symlink from CertBot in virtual environment to user PATH
   sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
6. Install cloudflare certbot plugin
   sudo /opt/certbot/bin/pip install certbot-dns-cloudflare

Request Certificate

1. Create cloudflare configuration file

dns_cloudflare_api_token = <cloudflare_api_key>

2. Generate cert

certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/cloudflare.ini \
-d example.com

Create Cron Job

1. crontab -e
2. 0 6,12 * * * /usr/bin/certbot renew --dns-cloudflare --dns-cloudflare-credentials ~/cloudflare.ini

Creating Pre and Post hooks

CertBot uses port 80 to request for certificate from Cloudflare.
For VMs or web server which uses port 80 (such as nginx), we need to temporarily stop the web server during certificate renewals.

Below uses Harbor certificate renewal as example.

1. Create pre-hook in Certbot directory

#!/bin/bash
/usr/bin/docker stop nginx

2. Create post-hook in Certbot directory

cp -f /etc/letsencrypt/live/repo.punydev.me/fullchain.pem /data/cert/server.crt
cp -f /etc/letsencrypt/live/repo.punydev.me/privkey.pem /data/cert/server.key
/usr/bin/docker start nginx