An alternative to this is Cloudflare if you don't feel like messing with your server itself.

2 months later

luceos

Correct. A single line in crontab would take care of this. Here is the section on letsencrypt renewal:

http://letsencrypt.readthedocs.org/en/latest/using.html#renewal

3 3 * */2 *     root     /opt/letsencrypt/letsencrypt renew --force renew

Should work

    a year later
    a month later

    Just an UP for this :
    ERR_TOO_MANY_REDIRECTS

    14 days later

    Certbot is definitely recommended, I use it on my servers and it's easy to use. ?

    2 months later

    Hi all - if anyone has a moment to reply - i am not a techie person - just a community forum leader

    we had some help to install our 2 flarum sites, but now both are stuck behind an outdated security certificate -- and we are losing traffic (not that it is huge!)

    is the server certificate something you resolve at the domain level? or is it all about the server where the sites are hosted? trying to figure out how as a novice, i can solve this

      dazework It's kind of a handshake with the browser, to determine if the SSL layer is valid. You can always drop down to HTTP and redirect HTTPS links, but the better thing to do is to renew your certificate.

          jordanjay29 yes, just not sure how to renew the certificate

          the person who installed it promised to keep track, but has evaporated back into the internet.... so am a bit stuck.

          both community sites are at different domains, so it is not the domain (which places like NameCheap make it seem all i have to do is buy a certificate from them to solve this at domain level!)

          i can see that our other site that is also on the same server has an outdated certificate. HOW do I update it? Have Googled this of course - but I get stuck at certain steps.

          luceos will say hello there and see what can be done!

          thank you - any further ideas are welcome!

              Let's Encrypt certificates expires after 3 months, but everything is done to encourage automatic renewal.

              I don't really like the official client install described in the original post, because it automatically modify the Apache configuration... I prefer to use software packaged by my Linux distribution.

              Here is how to I do it with "Dehydrated" client, with Apache web server on Debian 9 :

              • # apt-get install dehydrated dehydrated-apache2
              • Create file "/etc/dehydrated/domains.txt" and put your complete domain name into it.
              • # dehydrated -c

              Certificates are created and put in /var/lib/dehydrated/certs/your_domain/

              To configure Apache :

              • # a2enmod ssl
              • # a2ensite default-ssl
              • Modify /etc/apache2/sites-available/default-ssl.conf :
                • SSLCertificateFile /var/lib/dehydrated/certs/your_domain/cert.pem
                • SSLCertificateKeyFile /var/lib/dehydrated/certs/your_domain/privkey.pem
                • SSLCertificateChainFile /var/lib/dehydrated/certs/your_domain/fullchain.pem
              • # systemctl reload apache2

              To automate renewal, add a script in /etc/cron.daily/ :

                #!/bin/sh
/usr/bin/dehydrated -c

              Reloading configuration is already done daily by logrotate, so I don't do it in the renewal script.

              To redirect http to https, add "Redirect permanent / https://your_domain/" in the non-https virtualhost.

              To activate HSTS, add « Header always set Strict-Transport-Security "max-age=15768000" » in the https configuration.

              To test your configuration, you can use this site : https://www.ssllabs.com/ssltest/

              To obtain the best grade, you can configure SSL algorithms recommended by the Mozilla wiki ("intermediate" is a good choice on their configuration generator) : https://wiki.mozilla.org/Security/Server_Side_TLS

              luceos a big thank you, for assistance here - we were lost. Looking more into your work and seeing many helpful things - so thanks again, from all us novices!

                4 months later

                I dont know why i can't install on Ubuntu & Centos ? But i can install on Debian.

                matpompili Is there a difference between paid and free (like the way you've described) ssl certificates?
                Or encrypted is encrypted no matter what?

                Also wondering if this would influence seo rankings, but since a lot of websites are still on http, all ssl could have the same "juice" value...

                    just-do-it I never thought I'd have to write this ?

                    Different levels of paid certificates exist, ranging from Domain- to Extended Validation. Each of these require the party behind the certificate to be validated increasingly based on the level. Domain validation required an e-mail confirmation or DNS entry, whereas EV meant your business registration would be verified as well and sometimes you would get a call! The identity would be confirmed and as such guarantee a visitor of your site they're dealing with the right party. Another benefit -- or they make you believe -- is end user protection to a specific monetary amount (I don't know the details of this, I suggest googling).

                    Then Let's Encrypt showed up and had this goal to make the web encrypted with free certificates. Back then, this wasn't too easy, because SNI didn't exist back then, which allows multiple certificates to be installed per IP address. LE wasn't really taken seriously until SNI was a thing and Google started giving websites with SSL a (slightly) better SEO rank.

                        luceos yeah I'm a millennial and I have never used a ? in my life. Though I've seen and read smth about them, so yeah, pretty accurate ?