Share it on social media

Table of contents

Published: March 9, 2022 Last modified: March 10, 2022

Install Let's Encrypt for Django with Nginx | Automate renewal with Cron

In the previous article, I wrote a guide on deploying multiple Django apps in one single VPS server using Nginx and Gunicorn. For this guide, I'll teach you how to secure your Django apps with a free SSL certificate and how to automatically renew your Let’s Encrypt SSL certificate with Cron.

We'll be using the following tools:

  • Certbot: Thanks to the Electronic Frontier Foundation, all the world can secure their connections. Certbot is a part of the things that EFF's trying to provide to us for free. Certbot is a client that fetches an SSL certificate from the open-source certificate authority (Let's encrypt) founded by EFF.
  • Cron: When it comes to scheduling commands cron is the deal. It's a long process that executes UNIX commands at a chosen date and time.


For our Django apps (Pacman & Coffee), we will secure their connections with SSL (Secure Socket Layer). It's recommended that you serve all your websites under HTTPS, especially for websites that deal with users' data.




Install certbot on Ubuntu


To install Certbot, we have two possible options for Ubuntu:

1 - APT (Advanced Packaging Tool)

Add the repository

$ sudo add-apt-repository ppa:certbot/certbot

Then will press [ENTER]

This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu. 
Note: Packages are only provided for currently supported Ubuntu releases. More info:https://launchpad.net/~certbot/+archive/ubuntu/certbot 
Press [ENTER] to continue or Ctrl-c to cancel adding it.


Then update your system and install Certbot


# sudo apt update && sudo apt install python-certbot


If something went wrong, remove the PPA you just added:


$ sudo add-apt-repository --remove ppa:certbot/certbot


And try with this command:


$ sudo apt install certbot python3-certbot-nginx


2 - Snapd


Some systems including (Kali Linux, Red Hat, Arch Linux) have Snap pre-installed, if you don't have it, install it using this command:


$ sudo apt update
$ sudo apt install snapd


 Then to install certbot, run this command line:


$ sudo snap install --classic certbot



Creating an SSL Certificate for a Django project


Since we used Nginx to serve our Django applications on the server, to obtain a certificate and also install it using the Certbot, we have to use the Nginx plugin


$ sudo certbot --nginx


And since we have many domain names, we can install the certificates in one command using the expand option.


$ sudo certbot --nginx --expand -d pacman.selmi.tech -d coffee.selmi.tech


The Certbot uses the expand argument to update an existing certificate with a new one, followed by -d option to specify the domain names.

More command line options:


$ sudo certbot --nginx --expand -d pacman.selmi.tech -d  coffee.selmi.tech -n --agree-tos -m myemail@example.com --redirect --uir
  • We can use the -n option to avoid interacting with it.
  • use the --agree-tos argument to agree to the ACME server's Subscriber Agreement
  • Use -m option with your email address for important account notifications about your certificates.
  • And use the --redirect options to automatically redirect all HTTP requests to HTTPS (secure) traffic.
  • The --uir options is used for the "Content-Security-Policy: upgrade-insecure-requests" header to every HTTP response.



Confirm that Certbot worked


Now after installing the SSL certificates for our newly added Django projects, we can check whether our sites are set up properly or not.
We visit https://pacman.selmi.tech and https://coffee.selmi.tech and we should see the lock icon in the URL bar.


Automatic renewal: Let’s Encrypt SSL Renew Cron


Before we dive into Cron, let's see how to renew the certificate with Certbot.
When a certificate is close to expiring in less than 30 days, we can renew it manually with this command:


$ sudo certbot renew


In case you have a single certificate built using the standalone plugin, you need to stop Nginx before renewing the certificate to give a chance to standalone to bind ports. After that, you can start Nginx again.


$ sudo certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"


For my case here is the command line I'll automate using Cron:


$ sudo certbot renew -n -q


The new option here is -q, which means a quiet execution of the command line without outputs.

Automate SSL renewal with Cron


By default, most Linus distros come with cron installed. In case yours is outdated for some reason, install it with this command:


$ sudo apt update
$ sudo apt install cron


Then enable it to to run on the background:


$ sudo systemctl enable cron


To schedule a command execution, open the crontab for editing with
crontab -e and add a task written in the form of a cron expression. The syntax for cron has two elements: the schedule and the command.

The command part can be any Unix command.
For the other part, it has 5 fields, each field has a timestamp and they are in this order.


# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
# │ │ ┌───────────── day of month (1 - 31)
# │ │ │ ┌───────────── month (1 - 12)
# │ │ │ │ ┌───────────── day of week (0 - 6)
# │ │ │ │ │
# │ │ │ │ │
# * * * * *  command_to_execute



Here are some examples of cron expressions


To empty temp folder every Monday at 18:30.

30 18 * * 1 rm -rf /tmp/*


To automate the system on 00:00 of January

0 0 * 1 * root /usr/bin/aptupdate -q -y >> /var/log/apt/automaticupdates.log



If this is the first time you’re running the crontab command, you'll get this output to set a default text editor:


no crontab for selmi - using an empty one

Select an editor.  To change later, run 'select-editor'.
  1. /bin/nano        <---- easiest
  2. /usr/bin/vim.basic
  3. /usr/bin/vim.tiny
  4. /bin/ed

Choose 1-4 [1]:1


Then I'll paste this expression to check for certificate renewal every Sunday at midnight.


0 0 * * 0 sudo certbot renew -n -q


If you’d like to view the contents of your crontab


$ crontab -l



Thanks for being here, feel free to comment below if you have any questions.



472 0
Selmitech

This is Selmi Abderrahim, the author and the admin of SelmiTech blog.

Subscribe to our mail list

No comments yet!