Over the last two months, I've shared what amounts to a four-part "series" of posts walking through my journey of using Certbot for SSL certificate management, with the primary challenge being not having the traditional root-level access on the web server. Those posts are, in order:
- Setting up Key Authentication
- Moving to Certbot with Let's Encrypt
- Improving Manual Certbot Domain Validation
- Certbot in Manual Mode with Script Hooks
This post is intended to gather the series into one reference/table of contents post, both for Future Me and for anyone else just needing the highlights.
Just getting started/First steps? Play around with Certbot!
The second post of the series is actually the first post to reference Certbot and the basics of installing and using it to manually generate a certificate. If you've never touched Certbot before, it's the best place to start without getting too deep into All Things Certbot.
Got/Familiar with Certbot? Time to Automate!
The next major step in doing cool stuff with Certbot is to start automating the process of the request and validation processes. For this, you will absolutely want/need key authentication for your remote host(s). Having key auth in place reduces much effort and opens the door for better and secure integrations. Key auth can be used for so many cool things!
Further, with a couple of simple bash scripts, it's easy to bolt all the requisite commands together to streamline much of the process. This part was the major breakthrough in my own journey. While it was still a bit of a pain to do the copy/paste action of the domain validation files, having a split terminal and aliases set up made the process far less onerous than using the old SSLForFree/ZeroSSL web interface.
Finally: Getting Hooked!
Perhaps out of sheer stubbornness, or enough menial "pain and suffering," I dug deep enough into Certbot's options to discover the magic of pre- and post- hooks for Certbot's manual mode. This process has truly been life-altering for me, and truly has automated as much of the process as can be automated in my environment...for now. The ability to mechanize the transport/copy and removal of the transient domain validation files is the *chef's kiss* of the whole thing for me. I am most proud of my discovery and journey to this point.
Many of the referenced posts include gists to get you started and a Git repo for your convenience.
A Post-Script Follow-Up
Most of the aforementioned series was written while/as I transitioned and iterated over moving to Certbot. It all started back in early July, 2020, and wrapped up in September/October when I buttoned up the hook business. As of mid-November, just before this post is set to publish, I am happy to report that I've fully expanded this process to all of my in-scope domains/certificates. In fact, I had to perform my first "renewal" of the very first domains I used while developing the hook post. It was seamless and took mere seconds to validate domains and generate certificates. Perfect!
So there it is -- iteratively working through a process change to make Future Me a happier, more productive person. Hopefully you also can find some inspiration as well!
Headline image unattributed via Beatles Songwriting Academy