Certbot on Debian

Specifically, these instructions suit the Bitnami Debian (Jessie) image, at 2017-07-10.

There are conflicting instructions, eg to install python-certbot-apache from jessie-backports repository. Unfortunately, the repository has a version of python-certbot-apache whose dependencies in the repo are totally broken.

So it’s necessary to get certbot from git & use the certbot-auto script to download dependencies.

Login to your server via ssh and:

#cd /tmp
#git clone https://github.com/certbot/certbot
#cd certbot/


You’ll get this:

Failed to find executable apache2ctl in PATH: /opt/bitnami/varnish/bin:
Certbot doesn't know how to automatically configure the web server on this system. 
However, it can still get a certificate for you. Please run "certbot-auto certonly" 
to do so. 
You'll need to manually configure your web server to use the resulting certificate.


So then it’s up to you to do as suggested. For example, to get a certificate for the Homunculoid website I did:

./certbot-auto certonly --webroot -w /var/www/html/ -d homunculoid.com


Enter your email address, and with luck, success:

- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/homunculoid.com/fullchain.pem. Your cert will
expire on 2017-10-10. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


The final step is to install the certificates into Apache & restart the server:

cd /opt/bitnami/apache2/conf
rm server.crt server.key
ln -s /etc/letsencrypt/live/homunculoid.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt
ln -s /etc/letsencrypt/live/homunculoid.com/privkey.pem /opt/bitnami/apache2/conf/server.key
/opt/bitnami/ctlscript.sh restart apache

The LetsEncrypt certs need to be renewed every 90 days, which is a nuisance. Fortunately, to renew the certs only requires:

#cd /tmp/certbot/
#or, if it does not find your webroot:
#certbot-auto certonly --webroot -w /var/www/html/ -d homunculoid.com

Since the certbot is needed on an ongoing basis, you should probably also move /tmp/certbot to /usr/local/ or somewhere a little more permanent than /tmp.