Certbot Gotchas

As a project this week, I’ve been doing some backend maintenance for my web hosting, which includes getting everything set up with SSL certs through Let’s Encrypt. (The writing is on the wall: most sites that can switch to HTTPS should switch to HTTPS. Not just for the added security for you and your viewers, but also because browsers and search engines and similar are starting to give warnings if it’s NOT secure.)

Thankfully, the days of having to pay an arm and a leg for a cert have passed. Let’s Encrypt is a free non-profit service (in partnership with other orgs including EFF, Mozilla, and Akamai, to name a few), which generates free, short term SSL certificates for your site. (For larger organizations, you may want to still throw down on a longer term set of certs, but for personal use this is great.)

Using the certs is pretty straightforward: they’ve created a tool that can run on your web server called certbot which streamlines the process and also monitors and automatically renews the certificates when they’re close to expiration. Installing certbot is pretty straightforward: it’s available via various package managers (apt and similar), so chances are good that whatever OS your server is running can install it pretty easily.

That said, there are still a few gotchas that I felt like got glossed over in the docs I was reading/following when using the tool, so here’s a few notes:

  • Be explicit about your domains: certbot doesn’t currently support wildcards (i.e. being able to say *.nadreck.me and have that handle any subdomains like images.nadreck.me). Instead, list them all out if you want them to share a certificate, and that includes both with and without www. So, for example, you might want to do something like sudo certbot --apache -d nadreck.me -d www.nadreck.me. If you don’t include both, someone going to your site using the address that wasn’t specified may end up getting the site blocked and the user warned of something potentially fraudulent.
  • If you already generated a certificate for a domain and need to update it (maybe you added a subdomain, or forgot to add www), the command you’re looking for is --expand. (I would have thought “update”, but no.) Note that when expanding a certificate, you need to re-list all domains you want included (you don’t just list the one you’re adding). So, using nadreck.me as an example again, if I wanted to add “images.nadreck.me” to the existing cert, I’d do sudo certbot --expand -d nadreck.me -d www.nadreck.me -d images.nadreck.me.
  • Keep it separated: the certs are free, there’s no need to overload the cert with a ton of domains. While it makes a certain amount of sense to bundle a domain and subdomains together, there’s no need to make one cert for all your sites. criticalgames.com shares a cert with nadreck.criticalgames.com, but not with nabilmaynard.com, if that makes any sense.
  • You can’t preemptively add sites to a cert. Certbot/letsencrypt performs a challenge response as part of the process to make sure you actually own the site you’re trying to set up, so if you haven’t actually set up that site or subdomain, the challenge will fail and the cert won’t be generated correctly. If you wanted to add, say, files.nadreck.me to your certificate, you’d need to set up that subdomain first, then expand your certificate. (The site can be empty, but the URL needs to resolve and land somewhere real.)

Anyway, hope that helps! The process really is pretty straightforward, and I recommend getting things set up to anyone maintaining a website these days.