HomeApacheLet’s Encrypt Free SSL Certs for your web site

Let’s Encrypt Free SSL Certs for your web site

Software Effect Enterprises, Inc Posted on by

Let’s Encrypt is a fantastic project put together by the non-profit Internet Security Research Group (ISRG). It is a flexible tool for setting up SSL certificates for your web sites.

Installation

To install on Rocky Linux 8 execute:

yum -y install epel-release
 yum -y install httpd mod_ssl certbot

To install on Centos 7 execute:

yum -y install epel-release
 yum -y install httpd mod_ssl python-certbot-apache

Creating Certificates

There are many ways to generate certificates for your web sites. My preferred method is to execute the following command on my web server. The following will create a cert for a web site with the names “www.mydomain.com” and “mydomain.com” If you have additional domain/site names for the web site, add them by putting in additional “-d www.domainname.com” entries onto the end of the command below. If the web site is in the home directory, update /var/www/html to point to the correct directory

certbot certonly --agree-tos --webroot --webroot-path /var/www/html --email hostmaster@mydomain.com -d www.mydomain.com -d mydomain.com

Follow the prompts given.

When it is done, add the following lines to your configuration file for your web server. Replace www.mydomain.com with the correct name for your web server

 SSLEngine on
 SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/cert.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem
 SSLCACertificateFile /etc/letsencrypt/live/www.mydomain.com/chain.pem

(I am going to assume you are familiar with how to set up apache to use SSL certs. If you are not, then you need to stop and go read up on that as the above lines are not the only things you need to set up a secure web site)

Test Certificates

If you are note sure if your web server is set up correctly or this is not a production server add

--dry-run

to the “certbot certonly” command above to get a test certificate.

Important note: If you request a production certificate too many times with problems with your web server you will be locked out of making certificate requests for several hours. the –dry-run option is a good way to make sure things are working correctly before you request a production certificate.

Intranet – or Behind the Firewall Certificates

If you have a site that is behind your firewall to be used “internally” only – but need a certificate, you will need to be able to update your public dns on an immediate basis.

Execute

certbot --manual --preferred-challenges dns certonly -d somename.internal.mydomain.com

You should get the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for somename.internal.mydomain.com
Performing the following challenges:
dns-01 challenge for somename.internal.mydomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.somename.internal.mydomain.com with the following value:
pnoBrUsxmZItluqGcsTvnkzktO0xPKBRxcyN4Cu6wI
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

At this point DONT press enter – using a different computer or session add the indicated TXT record in your dns.

Confirm using the dig command (via another computer or bash prompt)

dig @my.public.dns.server +short  -t TXT _acme-challenge.somename.internal.mydomain.com

and you should get one line back:

"7pnoBrUsxmZItluqGcsTvnkzktO0xPKBRxcyN4Cu6wI"

If you dont get that line back – confirm your dns has been updated correctly. Depending on the software/system that is being used by the DNS server it may take a few minutes to update. Or, you typoed something in setting up the dns TXT

Now, go back to where you left off with “Press Enter To Continue” and press enter now

Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/somename.internal.mydomain.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/somename.internal.mydomain.com/privkey.pem
  Your certificate will expire on 2021-08-24. To obtain a new or
  tweaked version of this certificate in the future, simply run
  certbot again. To non-interactively renew *all* of your
  certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate 
Donating to EFF:                  https://eff.org/donate-le

 

You have your cert!!!

 

Renewing the Certificates

The certificates are only good for 90 days so you need to set up to update the certificates. Create a file named /etc/cron.weekly/certrenew and put the following lines in it. This will renew all certs you have on this system

#!/bin/bash
/bin/certbot renew

Revoke Certificates

certbot revoke --cert-path /etc/letsencrypt/archive/DOMAINNAME/cert1.pem

If the cert is expired you will have to use the command

certbot delete

then follow the prompts

 

Comments are closed.