Chapter 4

Let's Encrypt & Renewal

ACME, HTTP-01, auto-renewal, staging certs.

Learning objectives

  • Explain how ACME validates domain control
  • Obtain a certificate with HTTP-01 challenge
  • Set up automatic renewal and staging tests

Let’s Encrypt and ACME

Let’s Encrypt is a free, automated CA. It uses the ACME protocol: your server proves it controls workshopco.ca, receives a certificate, and repeats before expiry (typically every 60–90 days).

For Workshop Co. on a single Nginx VPS, HTTP-01 is the usual challenge: Let’s Encrypt requests a token at http://workshopco.ca/.well-known/acme-challenge/... and verifies the response.

HTTP-01 requirements
  • Port 80 must reach your server (or Certbot’s standalone mode must briefly bind it)
  • DNS for each name must point to the validating server
  • Redirects from HTTP → HTTPS must exclude /.well-known/acme-challenge/

Certbot workflow

On Workshop Co.’s Ubuntu VPS, a typical first issuance:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d workshopco.ca -d www.workshopco.ca

Certbot edits Nginx, obtains the cert, and installs a systemd timer for renewal:

sudo systemctl status certbot.timer
sudo certbot renew --dry-run

Worked example — staging before production

Before touching production, test against Let’s Encrypt’s staging CA (fake certs, same API):

sudo certbot certonly --nginx \
  --staging \
  -d staging.workshopco.ca

Staging certs trigger browser warnings — that is expected. Once dry-run succeeds, drop --staging for real certificates.

ChallengeHow it worksWhen to use
HTTP-01Token on port 80Single web server, Workshop Co. default
DNS-01TXT record at _acme-challengeWildcard certs, multiple backends
TLS-ALPN-01Special TLS response on 443Less common; specific load balancers
Renewal is not optional

Let’s Encrypt certs expire in 90 days. Automation via certbot.timer or cron is standard ops. Calendar reminders alone fail — expired certs take Workshop Co. offline and scare customers.

Try it yourself — renewal checklist

Write a 4-step checklist Workshop Co. should run monthly to verify cert health (even with auto-renewal).

Answer
  1. sudo certbot renew --dry-run — must succeed
  2. Check certbot.timer is active
  3. Verify expiry dates: sudo certbot certificates
  4. Confirm Nginx reload after renewal (post-hook or deploy hook)

Spot the mistake

Certbot renewal fails with “Connection refused” on port 80. Nginx redirects all HTTP to HTTPS. What is wrong?

Answer

HTTP-01 needs plain HTTP access to /.well-known/acme-challenge/. Add a location block that serves challenges without redirect, or use DNS-01 instead.

Quick quiz

  1. How long are standard Let’s Encrypt certificates valid?
  2. Why test with the staging CA first?
  3. Which challenge type needs a DNS TXT record?
Answers
  1. 90 days — renew around day 60.
  2. Avoid rate limits and broken production configs while learning.
  3. DNS-01.