Runbook: Let's Encrypt Certificates


Web servers

Web servers share a common cert with many Subject Alternative Names.

$ git clone
$ cd ansible/helpers/

Generate a new certificate

$ ./certbot-request

Renew certificates

$ ./certbot-route53 renew

Internal servers

Internal servers like the Edge Router Lite and Synology NAS share a certificate.

$ ssh roku
# --- on roku ---
$ cd certbot

Generate a new certificate

$ ./certbot-generate-truck

Renew certificates

$ ./certbot-route53 renew

Install certificates

To install on the Edge Router, create a certificate chain (including the key) and copy to the router's Lighttpd directory.

On roku:

$ chown -R annika:annika certs
$ cat certs/live/truck/privkey.pem certs/live/truck/fullchain.pem > server.pem

On your local machine:

$ scp roku:server.pem server.pem
$ scp server.pem

On the router:

$ sudo chown root:root server.pem
$ sudo mv server.pem /etc/lighttpd/server.pem
$ sudo kill -SIGINT $(cat /var/run/
$ sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

To install on the Synology NAS:

  1. Visit
  2. Open Control Panel
  3. Open Security
  4. Click the Certificate tab
  5. Click Add
  6. Click Replace an exiting certificate
  7. Follow the rest of the prompts, selecting privkey.pem and fullchain.pem as needed.