# SSL

## Auto-renew SSL Certificates

{% embed url="<https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/>" %}

<figure><img src="https://3401258663-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FAKc2IccofCPFp0RqLn1n%2Fuploads%2FUAHYhK2FghnrKl2Ehw4x%2Fimage.png?alt=media&#x26;token=18619d54-6ec7-4899-ac15-63caf2b9c398" alt=""><figcaption></figcaption></figure>

#### Step 1: Install Certbot

Certbot is a free, open-source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.

1. **SSH into your server** where the Bitnami application is running.
2. **Install Certbot** by following the instructions for your Linux distribution on the Certbot website. Choose your web server and operating system for tailored instructions.

#### Step 2: Stop the Web Server

Before renewing the certificate, you might need to stop your web server to free up the port Certbot uses for verification. This is necessary if you're using the standalone plugin. If you use the webroot plugin, this step may not be necessary.

For Apache (replace `sudo` with the appropriate command if you're not using a sudo-enabled user):

```bash
bashCopy codesudo /opt/bitnami/ctlscript.sh stop apache
```

For Nginx:

```bash
bashCopy codesudo /opt/bitnami/ctlscript.sh stop nginx
```

#### Step 3: Renew the Certificate

Run Certbot to renew your certificate. The command you use depends on how you originally obtained your certificate. If you're unsure, you can simply use the `certonly` option with `--standalone`, assuming your web server is stopped, or `--webroot` if it's running.

```bash
bashCopy codesudo certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com
```

Replace `yourdomain.com` with your actual domain name.

#### Step 4: Configure the New Certificate

After obtaining the new certificate, you need to configure your Bitnami application to use it.

1. **Copy the new certificate and key to the appropriate Bitnami directory.** The exact commands will vary based on your domain and where Certbot places the files (usually `/etc/letsencrypt/live/yourdomain.com/`).

```bash
bashCopy codesudo cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt
sudo cp /etc/letsencrypt/live/yourdomain.com/privkey.pem /opt/bitnami/apache2/conf/server.key
```

2. **Fix permissions** on the new files.

```bash
bashCopy codesudo chown root:root /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.key
sudo chmod 600 /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.key
```

3. **Restart your web server** to apply the changes.

For Apache:

```bash
bashCopy codesudo /opt/bitnami/ctlscript.sh start apache
```

For Nginx:

```bash
bashCopy codesudo /opt/bitnami/ctlscript.sh start nginx
```

#### Step 5: Automate the Renewal

Let's Encrypt certificates are valid for 90 days. You can automate the renewal process by adding a cron job.

1. Open the crontab for editing.

```bash
bashCopy codesudo crontab -e
```

2. Add a line to run the renewal command periodically (e.g.,once every 2 months):

```bash
bashCopy code0 0,12 * * * /usr/bin/certbot renew --quiet --renew-hook "/opt/bitnami/ctlscript.sh restart apache"
```

Replace `"/opt/bitnami/ctlscript.sh restart apache"` with the appropriate command to restart your web server.

This setup ensures your SSL certificate is automatically renewed and the web server is restarted to apply the changes.