Certbot auto renewal - digitalepidemiologylab/crowdbreaks-streamer-v1 GitHub Wiki

This is valid for Ubuntu 18.04, using a Docker-based Nginx reverse proxy with two subdomains. This was inspired from this Gist.

  1. SSH into machine, install certbot
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
  1. Make sure port 80 and 443 are open to the internet.
  2. Obtain certificate
sudo certbot certonly -n -d SUBDOMAIN_NAME.crowdbreaks.org --standalone -m YOUR_EMAIL --agree-tos
  1. Make sure certificate was successfully obtained: sudo certbot certificates
  2. Run docker-compose up and start nginx. Test https://SUBDOMAIN_NAME.crowdbreaks.org in browser.
  3. Make sure Certbot has properly set up the certbot.timer by running sudo systemctl list-timers. As long as the certbot timer is activated, certbot will run the systemd service (and not the cronjob). The systemd service which is triggered by certbot.timer can be found under /lib/systemd/system/certbot.service
  4. Edit /lib/systemd/system/certbot.service by modifying the ExecStart line:
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --max-log-backups 200 --pre-hook "docker stop nginx" --post-hook "docker start nginx"
PrivateTmp=true

which reloads nginx after renewal and limits the number of log rotations to 200 (instead of 1000). Test the command using:

sudo certbot renew --max-log-backups 200 --pre-hook "docker stop nginx" --post-hook "docker start nginx" --dry-run
  1. Run sudo systemctl daemon-reload to make the changes active.