This article explains how to manage Let's Encrypt certificates with Certbot on Ubuntu Linux servers.
Be aware that this description is specifically for our AIRIX.NET infrastructure and AIRIX.NET internal. It is not suitable for absolute beginners and may not work on other infrastructures and configurations.
Prerequisites
Our article Secure Apache Web Sites with Let's Encrypt explains how to initially install Let's Encrypt certificates with Certbot on an Apache web server. Even if you do need the certificate from something else than for a website, this article may be relevant. The easiest way to handle Let's Encrypt certificates on Certbot is by using Apache webserver. A configured "dummy" web site without any content can do the trick.
If not done already, start with configuring an Apache web server on your server and obtain initial certificates as explained in article Secure Apache Web Sites with Let's Encrypt .
As always, you need Secure Shell (SSH) access to the server and basic Linux command line knowledge to apply the knowledge provided in this article.
Introduction
As you probably already know, Let’s Encrypt is a Certificate Authority (CA) that facilitates obtaining and installing free TLS/SSL certificates.
List all available certificates
To list all certificates:
sudo certbot certificates
This command displays all certificate names, their domains, expiration dates, and certificate paths.
Adding additional domains to certificates
The setup and steps explained in article Secure Apache Web Sites with Let's Encrypt does explain how to obtain SSL certificates and to set up automated renewals.
After an initial install, you can set up additional sites and obtain additional certificates. This is also our best practice, when we do not plan to create a specific web site, but need certificates for other use cases. In this case we set up a "dummy" site in Apache web server and leave the handling of certificates to Apache web server and and Certbot.
As a staring point you need to add the proper configuration in Apache site configuration files (normally under /etc/apache2/sites-available). Secondly, you need to create a DNS entry for the certificate's domain.
Check if the domain has a valid and populated DNS entry on the command line:
nslookup subdomain.yourdomain.tld
As an alternative the same command does also work on the command line of your Windows computer.
If the domain entry has been set up properly and the domain name was configured in Apache, you can run Certbot to get the additional domains / certificates created.
Single Certificate for multiple domains
You can run certbot --apache on Ubuntu server's command line:
sudo certbot --apache
Certbot detects all domains from the virtual hosts configured on Apache web server. In the list you should also see the new entry you want to create the certificate for. This is efficient but means all domains share the same certificate.
If you need a certificate for all domains listed (and you normally want to have valid certificates not just for the new domain, but for existing domains too), you can just press ENTER.
This script will then prompt for some additional questions in order to configure the SSL certificates. Provided the information needed and Certbot will obtain the new certificates from Let's Encrypt if everything was configured correctly.
You can also add additional domains to an existing certificate:
sudo certbot --apache -d yourdomain.tld -d new1.yourdomain.tld -d new2.yourdomain.tld
With this, Certbot does:
- Detect the existing certificate
- Add the new domains to the certificate
- Update all relevant virtual hosts
Separate Certificates for domains
You can also create separate certificates for each domain:
sudo certbot --apache -d yourdomain.tld -d www.yourdomain.tld
sudo certbot --apache -d new1.yourdomain.tld
sudo certbot --apache -d new2.yourdomain.tld
Each domain gets its own certificate and virtual host configuration.
Verify auto-renewal status
You can check that the Certbot renewal timer is active:
sudo systemctl status certbot.timer
You should see the output indicating that the service is active and enabled.
Test certificate renewal
To test the certificate renewal, you can perform a dry-run without actually renewing certificates:
sudo certbot renew --dry-run
Successful output indicates renewal will work when certificates are due.
Run manual renewal
While automatic renewal should handle certificate updates, you can manually renew certificates, if needed:
The following command renews certificates that are within 30 days of expiration:
sudo certbot renew
If no certificates are due within the time frame., you will be notified and the certificate does not get renewed.
You can also force a renewal of all certificates regardless of expiration date:
sudo certbot renew --force-renewal
But a manual forced renewal should be avoided. There are probably very rare occasions when this would be needed. Furthermore, Let's Encrypt has rate limits. Avoid unnecessary renewals to prevent hitting these limits. The automatic renewal process respects these limits and only renews when necessary.
Remove a domain from a certificate
A direct removal of a single domain from a certificate with multiple domains is not possible.
The proper way to achieve this is to create a new certificate with leaving out the domain you want to delete.
First, you may get a list of the certificates and its domains:
sudo certbot certificates
You will get the certificate name, let's say yourdomain.tld, and the domains include, e.g. yourdomain.tld, www.yourdomain.tld, new1.yourdomain.tld new2.yourdoimain.tld.
To remove new1.yourdomain.tld from the certificate run:
sudo certbot --apache -d yourdomain.tld -d new2.yourdomain.tld
By omitting new1.yourdomain.tld the certificate with only the remaining domains is created.
Remove a certificate
To remove the certificate including all its domains, you can run:
sudo certbot delete
You get a numbered list and can select the certificate you want to delete.
There is another option available to remove a certificate by its name:
sudo certbot delete --cert-name yourdomain.tld
Note that you still need to adapt the Apache web server configuration yourself.
