Get Let's Encrypt Cert in Five Minutes

[chrsstrm]

Why is this better than Certbot, which has more options and more support? Set up a daily cron to run the certbot-auto `--renew` flag and forget about it. Done.

https://certbot.eff.org/

[lorenzhs]

The Debian package is even more convenient, it sets up the cronjob automatically (with a random delay to prevent everyone from hitting the servers at the same time). It's even quicker to set up.

[chrsstrm]

Is this a new-ish feature or did I just not read the docs thouroughly when I first used it almost a year ago? Thanks for the tip either way.

[guitarsteve]

Same here, I just set up LetsEncrypt for a second site last week and didn't know this. From a glance at the docs it looks like it's relatively new. Ubuntu 16.10 has the automatic cron setup but not Ubuntu 16.04 which is what I used.

[chrsstrm]

That's strange. I swore last year I would never use a non-LTS version for a server. Unless I'm missing something, it seems to be more headaches than it is worth to roll with the XX.10 vs XX.04.

[lorenzhs]

I'm not sure, it was there when I finally switched from the git repo to the packaged version some months ago. I'm using Debian stable (with the backports repo enabled)

[garaetjjte]

Convenient? To me adding cron jobs/systemd timers without question is user-hostile.

[JdeBP]

It's not added without question. It's added by dint of the administrator taking the explicit action to install the package. This is actually the Debian practice that the systemd people tried to take account of in the design of their presets system. Installing a package on Debian not only installs the software, but it automatically configures and runs it, too. Hence the idea that systemd presets can be made to default to "enable" on Debian and default to "disable" elsewhere.

This is a Debian norm. It's one that various Debian developers have tried to change over the years. The convention of having separate "run" packages exists and a few people adhere to it. (bcron-run, socklock-run, qmail-run, dqcache-run, bincimap-run, ...) But that convention is not (yet) the Debian norm. This is even though people have been regularly pushing for it since the turn of the century.

* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=107862

* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804018

[hlieberman]

Installing certbot through the Debian/Ubuntu packages will automatically setup a cron job for you.

[makefu]

on nixos it is:

    services.nginx.virtualHosts."myhost.org" = {
        enableSSL = true;
        enableACME = true;
        root = "/var/www/myhost.org";
    }

Put that in your host configuration and the nginx will be configured to start up the nginx with SSL enabled. All other locations required for the acme request are automatically configured. Systemd timers are also added for automatic renewal. IMHO it does not get any better than this.

edit1: no extra location required

[Filligree]

More complex configurations are possible as well, of course:

https://github.com/Erisia/Madoka/blob/master/configuration.n...

[jaredklewis]

A little off topic, but I somehow missed until recently that AWS cert manager will give you free, auto-renewing SSL certs for use with AWS. Just another free, convenient SSL option.

[marcusbrown]

What about using Forge instead (http://forge.laravel.com)? I know it's not free but for 10$/month you can get Let's Encrypt cert in 20 seconds and tons of more features (server provisioning with really good security setup and all the tools you need).

[natch]

$10/month? I prefer $0.30 per month at http://nearlyfreespeech.net, but Forge does look cool for when I need those features. Thanks.

[pooper]

Not to pile on but it is not $10. It is $15 / Month for individuals and $30 / Month for teams.

and that is on top of however much it costs you to run a vps on Digital Ocean or Linode or Amazon.

https://forge.laravel.com/ https://forge.laravel.com/features

It is worth taking a look if you don't enjoy setting up machines.

[angry-hacker]

What about SNI?