Help

Generating Let's Encrypt SSL Certificate

The Let's Encrypt certificate is a free SSL certificate that is issued for 90 days.

When using the Bitrix 7 operating system, there are two ways to generate a Let's Encrypt certificate - using the system's own tools (starting from Bitrix 7.2.0) and manually.

Obtaining and Installing Let's Encrypt via Bitrix Menu

  1. Go to the menu: 8. Manage servers in the pool -> 3. Certificate Settings -> 1. Let's Encrypt Certificate Settings.
  2. Provide the following details:
    • the site for which you want to order SSL (you can specify multiple sites by listing them separated by commas: site.ru, site2.ru, site3.com);
    • the domain names of these sites (also separated by commas);
    • contact email for notifications from Let's Encrypt.
  3. Confirm the action by pressing "Y".

The certificate will be automatically generated and installed.

Bitrix reports that a certificate created in this way will be automatically renewed before it expires. If, for some reason, automatic renewal does not work (there have been cases where users reported this issue), you can reorder the certificate by following the same instructions.

You can also use the following instructions for manual creation and installation of Let's Encrypt, as well as configuring automatic updates via the Crontab task, which allows for automatic certificate renewal.

Manual Certificate Acquisition

1. Install certbot:

yum install certbot

2. Run the following command to obtain the certificate, specifying the necessary data.

certbot certonly --webroot --agree-tos --email admin@email.ru -w /path/to/site/files/directory/ -d domain.ru -d www.domain.ru
  • admin@email.ru - the domain administrator's email;
  • /path/to/site/files/directory/ - the full path to the directory with your site files;
  • domain.ru and www.domain.ru - the domains for which the certificate will be generated (you can specify multiple domains by adding the -d flag before each).

Upon successful completion, the following message will be displayed, containing the path to the certificate (fullchain.pem) and unencrypted private key (privkey.pem):

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/domain.ru/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/domain.ru/privkey.pem
  Your certificate will expire on 2017-12-16. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot-auto
  again. To non-interactively renew *all* of your certificates, run
  "certbot-auto renew"

The obtained certificate now needs to be installed.

Automatic Certificate Renewal

To automatically renew Let's Encrypt certificates on BitrixOS, you need to add a corresponding task to the crontab.

1. Open crontab:

crontab -e

2. Add the task:

PATH=/usr/bin:/usr/sbin:/bin
30 6 * * * certbot renew --post-hook "systemctl reload nginx"

According to this task, the need to update the certificate will be checked daily at 6:30.

Have more questions about Hosting?