DigitalOcean Certbot Let’s Encrypt standalone mode can be used to secure different services. Find out more here. 

At Bobcares, we offer solutions for every query, big and small, as a part of our DigitalOcean Management Service.

Let’s take a look at how our Support Team is ready to help customers use DigitalOcean Certbot standalone mode.

How to use DigitalOcean Certbot Standalone mode

Did you know we can use Certbot’s standalone mode to secure other types of services like a message broker, a mail server, and so on? Certbot offers us a number of ways to validate the domain, automatically configure Apache and Nginx, fetch certificates, and so on.

This in-depth tutorial by our skilled Support Engineers will take us through:

• Installing Certbot
• Running Certbot
• Configuring the application
• Handling Certbot automatic renewals

However, before we begin, let’s take a look at the prerequisites:

• A server with a non-root user that is also sudo-enabled. It should also have a basic firewall setup.
• A domain name that points to the server
• Port 80 or 443 should be free and available on the server

How to install Certbot

According to our Support Techs, we can use the snap package to install Certbot. However, we have to install snapd ahead of that. Fortunately, Ubuntu 20.4 support snaps, so all we have to do is make sure that the snapd core is up-to-date:

sudo snap install core; sudo snap refresh core

If there is an older version of certbot on the server, we can remove it with this command:

sudo apt remove certbot

Then, it is time to install the certbot package:

sudo snap install --classic certbot

After that, we have to link the certbot command from the installation directory to our path:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

How to run Certbot

The next step is to use port 80 or 443 to answer the cryptographic challenge by the Let’s Encrypt API to prove our control over the domain.

sudo ufw allow 443
Output
Rule added
Rule added (v6)

After that, we can run Certbot to get the certificate. This is where we use the –standalone option so that the Certbot can handle the challenge via its built-in web server. Moreover, we can use the -d flag to specify the domain we want the certificate for. Furthermore, we can multiple -d options in order to cover more than one domain in a single certificate.

sudo certbot certonly --standalone -d the_domain

We have to enter an email address as well as agree to the terms of service after running the above command. This leads up to a message indicating the process was successful as well as the location of the certificates.

How to configure the application

In this step, we are going to take a look at what Certbot downloaded. We can use the ls command as seen below to list out the directory that holds the keys and certificates:

sudo ls /etc/letsencrypt/live/your_domain
Output:
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

In some cases, the certificates have to be in its original format while some software requires the certificates in different formats. In the latter scenario, we have to write a script to move the fields and change permissions as required.

How to handle Certbot automatic renewals

Let’s Encrypt certificates are valid only for 90 days. It is easier to automate the certificate renewal process. The certbot package handles this by adding a renew script to /etc/cron.d. The renew script runs twice a day and renews certificates that are within 30 days of expiration.

In order to run other tasks after renewal, we can use the renew_hook option. In order to add the renew_hook option, we have to update Certbot’s renewal configuration file.

sudo nano /etc/letsencrypt/renewal/the_domain.conf

At the end of the day, we learned how to install Certbot Let’s Encrypt client, download SSL certificates as well as enable automatic renewals.

[Looking for a solution to another query? We are just a click away.]

Conclusion

To conclude, our skilled Support Engineers at Bobcares demonstrated how to use DigitalOcean Certbot standalone mode.