Renewing SSL certificates

I switched all my websites to HTTPS around September 2013, when Eric Mill published a didactic post on his blog explaining how to setup HTTPS certificates on one's website for free. As others, I believe we need to make surveillance as expensive as possible. Making privacy the default on all my websites is a small contribution in this direction: for privacy not to be suspicious, privacy should be on by default over the Internet.

Switch to Let's Encrypt

This post used to be much longer, with instructions that are now out-of-date thanks to Certbot, the certification bot from Let's Encrypt. I was pleased to see that the process got smoother and much simpler than what it used to be. With Nginx, you can call Certbot as follows:

sudo certbot --nginx

If like me you prefer to update your configuration files by hand, you can use the certonly subcommand:

sudo certbot --nginx certonly

Choose your website's FQDN from the list and proceed. Then, go to your website configuration and edit it as follows:

ssl_certificate /etc/letsencrypt/live/my.website.fqdn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.website.fqdn/privkey.pem;

Let's Encrypt certificates expire after 90 days, but certificates should be renewed automatically after 60 days by a Cron job installed automatically with your distribution (e.g. Debian).

Pages of this website are under the CC-BY 4.0 license.