How to Install and Renew Let’s Encrypt Certificates on Alibaba Cloud Server

849Words
4Minutes
09 Jul, 2024
- Technology

Let’s Encrypt is a free, automated, and open certificate authority (CA) that aims to increase internet security by providing free SSL/TLS certificates. This article will provide a detailed guide on how to install Let’s Encrypt certificates on an Alibaba Cloud server and use the Certbot tool to enable automatic certificate renewal.

Preparation Before Installation

Before installing Let’s Encrypt certificates, ensure that your server has Nginx installed and your domain name is resolved to the server’s IP address. If your server uses the Alibaba Cloud Linux system, you can install Nginx with the following commands:

1
sudo yum install nginx -y
2
sudo systemctl start nginx
3
sudo systemctl enable nginx

Installing Certbot

Certbot is an automated client tool developed by EFF, used to obtain and install certificates from Let’s Encrypt. We need to use yum commands to install Certbot and its related components.

Add the EPEL repository:

1
sudo yum install epel-release -y
2

3
# If the above command fails, uninstall epel-aliyuncs-release first and then reinstall
4
sudo yum remove epel-aliyuncs-release -y
5
sudo yum install epel-release -y

Install Certbot and the Nginx plugin:

1
sudo yum install certbot python3-certbot-nginx -y

Obtaining and Installing the Certificate

After installing Certbot, you can issue certificates for all subdomains with the following command, replacing example.com with your actual domain:

1
sudo certbot certonly --manual --preferred-challenges dns -d *.example.com -d example.com

This command will ask you a series of questions and generate a txt record that you need to add to your DNS server, as shown in the image: txtdns

Go to Alibaba Cloud DNS resolution, find your current domain, and add a txt record with the value shown in the image above, as shown here: addtxtdns

Check if the DNS txt record is correct. Once verified, return to the terminal and press enter, as shown here: txtdnscheck

After Certbot completes, your certificates and key files are usually stored in the /etc/letsencrypt/live/your-domain/ directory.

Edit the Nginx configuration file to use the new SSL certificate, usually located in the /etc/nginx/conf.d/ directory.

1
sudo vim /etc/nginx/conf.d/www.conf

Add the following code, replacing yourdomain with your actual domain:

1
server {
2
    listen 80;
3
    server_name yourdomain.com *.yourdomain.com;
4

5
    # Redirect to HTTPS
6
    return 301 https://$host$request_uri;
7
}
8

9
server {
10
    listen 443 ssl;
11
    server_name yourdomain.com *.yourdomain.com;
12

13
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
14
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
15

16
    ssl_protocols TLSv1.2 TLSv1.3;
17
    ssl_ciphers HIGH:!aNULL:!MD5;
18

19
    # Other Nginx configurations such as root directory, index files, etc.
20
    root /var/www/html;
21
    index index.html;
22

23
    location / {
24
        try_files $uri $uri/ =404;
25
    }
26
}

Reload Nginx with the following command:

1
sudo systemctl reload nginx

Configuring Automatic Renewal

Let’s Encrypt certificates are valid for 90 days, so we need to configure automatic renewal to ensure the certificates remain valid. Certbot provides a cron job that can automatically check and renew expiring certificates.

Test certificate renewal with the following command:

1
sudo certbot renew --dry-run

You may encounter errors because Certbot uses DNS to apply for domain certificates, so you need to update the DNS record during renewal. Directly using certbot renew will result in an error. We can use the [certbot-dns-aliyun] script to automatically call Alibaba Cloud’s interface to apply for and renew certificates.

Installing the Aliyun CLI Tool

1
wget https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz
2
tar xzvf aliyun-cli-linux-latest-amd64.tgz
3
sudo cp aliyun /usr/local/bin
4
rm -rf aliyun

Configuring the User

Log in to https://ram.console.aliyun.com/, add a user, enable OpenAPI call access permissions, and add the AliyunDNSFullAccess authorization. Record the AccessKeyID and AccessKeySecret, and then execute the following command on the server:

1
sudo aliyun configure

Follow the prompts to fill in the corresponding information:

1
Access Key Id []: AccessKeyID
2
Access Key Secret []: AccessKeySecret
3
Default Region Id []: cn-beijing
4
Default Output Format [json]: json (Only support json)
5
Default Language [zh|en] en: zh

If successful, the following will be displayed:

1
Configure Done!!!
2
..............888888888888888888888 ........=8888888888888888888D=..............
3
...........88888888888888888888888 ..........D8888888888888888888888I...........
4
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
5
.........+88888888 ..........................................88888888D..........
6
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
7
.........+88888888 ............. ************* ..............O8888888D..........
8
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
9
.........+88888888...........................................88888888D..........
10
..........D888888888888DO+. ..........................?ND888888888888D..........
11
...........O8888888888888888888888...........D8888888888888888888888=...........
12
............ .:D8888888888888888888.........78888888888888888888O ..............

If there are errors, check if OpenAPI call access permissions are enabled and AliyunDNSFullAccess authorization is added.

Installing certbot-dns-aliyun

1
wget https://cdn.jsdelivr.net/gh/justjavac/certbot-dns-aliyun@main/alidns.sh
2
sudo cp alidns.sh /usr/local/bin
3
sudo chmod +x /usr/local/bin/alidns.sh
4
sudo ln -s /usr/local/bin/alidns.sh /usr/local/bin/alidns
5
rm alidns.sh

If https://cdn.jsdelivr.net/gh/justjavac/certbot-dns-aliyun@main/alidns.sh cannot be downloaded, you can download it locally and upload it to the server.

Renewal

1
# Test application
2
certbot certonly -d *.example.com --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --dry-run
3

4
# Test renewal
5
certbot renew --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --dry-run
6

7
# For actual application and renewal, remove the --dry-run parameter

Setting Up a Cron Job for Automatic Renewal

1
crontab -e

Enter the following content:

1
0 2 1 */1 * root certbot renew --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --deploy-hook "nginx -s reload"

This job will execute once at 2:00 AM on the 1st day of every month, renewing the certificates using the manual mode. After successful renewal, it will reload Nginx to apply the new certificates. In Crontab, the format of a scheduled task consists of five asterisks, representing minutes (0 – 59), hours (0 – 23), day of the month (1 – 31), month (1 – 12), and day of the week (0 – 7, where 0 and 7 both represent Sunday).

Conclusion

This article provided a detailed guide on how to install Let’s Encrypt certificates on a server, obtain and install certificates using the Certbot tool, and configure automatic renewal. By following these steps, you can ensure that your server always uses valid SSL/TLS certificates, enhancing website security.