IxDF Developer Docs

Appearance

SSL: Certbot Setup

Before you start

  • Before making any changes to production server, make sure you create a snapshot on digital ocean.
  • Do not use forge SSL to renew certificates. The /etc/ngin/forge-config/before/ssl_redirect.conf will override our redirects, making the site unavailable.

Setup

Install certbot client

Read the docs 😃

Note: Make sure you follow the steps in the wildcard tab.

Make sure you install the appropriate plugin (cloudflare or digital ocean)

Copy latest credentials for certbot plugins

cp /home/forge/DOMAIN-NAME.org/infrastructure/letsencrypt/*.ini /etc/letsencrypt

Create Certificate

Remember to use the *.domain.tld and domain.tld forms. Since we use root domain and www CNAME if one of these is missing, redirects will not work as expected.

Check the DNS provider. If we're using digital ocean as DNS server, then:

bash
# Make sure you've installed the digital ocean certbot plugin
# Create the certificate
sudo certbot certonly --text --agree-tos --renew-by-default --email development@interaction-design.org --manual-public-ip-logging-ok -d *.DOMAIN-HERE -d DOMAIN-HERE --dns-digitalocean --dns-digitalocean-credentials /etc/letsencrypt/digital-ocean.ini --dns-digitalocean-propagation-seconds 60

If we're using cloudflare as DNS server, then:

bash
# Make sure you have installed the cloudflare certbot plugin
# Create the certificate
sudo certbot certonly --text --agree-tos --renew-by-default --email development@interaction-design.org --manual-public-ip-logging-ok -d *.DOMAIN-HERE -d DOMAIN-HERE --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini --dns-cloudflare-propagation-seconds 60

Renew

Certbot should automatically renew SSL certificates. There's usually nothing to do.

By default, the --force-renew is used in the renew commands. This will renew certs even if they are not the renew window.

We want to make sure every week the certificates are renewed and that scripts are working as expected.

Manually

certbot renew --config-dir=/etc/letsencrypt --logs-dir=/home/forge/.letsencrypt/ --force-renew

Make sure you reload nginx after renewing the certificates.

bash
sudo nginx -s reload