First – install certbot on your machine

yum -y install httpd mod_ssl certbot

I am going to assume you have correctly configured firewalld to allow incoming connections to http and https.

systemctl start httpd

Now – create a test ssl certificate

replace mywebserver.domain.com with the FQDN for your machine

certbot certonly --agree-tos --webroot --webroot-path /var/www/html --email myemail@domain.com -d mywebserver.domain.com --dry-run

The –dry-run part is very important. If you try to get a certificate too many times with some type of error with out ‘–dry-run’ you will be locked out of the LetsEncrypt server

Now – once you resolve any/all errors repeat the command without the ‘–dry-run’ option

certbot certonly --agree-tos --webroot --webroot-path /var/www/html --email myemail@domain.com -d mywebserver.domain.com 

Now that you have the certificate we need to attach it to your cockpit. Create a file named

/etc/letsencrypt/renewal-hooks/post/001-restart-cockpit.sh

replace mywebserver.domain.com with the FQDN for your machine

#!/bin/bash
FQDN=mywebserver.domain.com

#echo "SSL certificates renewed"

cp /etc/letsencrypt/live/$FQDN/fullchain.pem /etc/cockpit/ws-certs.d/$FQDN.crt
cp /etc/letsencrypt/live/$FQDN/privkey.pem /etc/cockpit/ws-certs.d/$FQDN.key
chown cockpit-ws:cockpit-ws /etc/cockpit/ws-certs.d/$FQDN.crt /etc/cockpit/ws-certs.d/$FQDN.key

#echo "Restarting Cockpit"
systemctl restart cockpit

set the permissions

chmod 700 /etc/letsencrypt/renewal-hooks/post/001-restart-cockpit.sh

and run it

/etc/letsencrypt/renewal-hooks/post/001-restart-cockpit.sh

Now – cockpit has a LetsEncrypt certificate – and when it renews – cockpit will load the updated certificate!

Tested on Fedora 35