Let's Encrypt: Difference between revisions
(49 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Internal= | =Internal= | ||
* [[Httpd SSL Configuration]] | * [[Httpd SSL Configuration]] | ||
* [[snapd]] | |||
=Overview= | =Overview= | ||
Let's Encrypt provides free SSL certificates for web sites. The installation of those certificates is performed with [https://certbot.eff.org/pages/about certbot], as described in the [[#Procedure|Procedure]] section below. | Let's Encrypt provides free SSL certificates for web sites. The installation of those certificates is performed with [https://certbot.eff.org/pages/about certbot], as described in the [[#Procedure|Procedure]] section below. | ||
Line 6: | Line 8: | ||
=Procedure= | =Procedure= | ||
==Default Certificate Installation Procedure== | ==Default Certificate Installation Procedure== | ||
* https://certbot.eff.org/instructions?ws=apache&os=centos-7 | |||
Prerequisites: | |||
* ssh access to the machine running the httpd server | |||
* sudo privileges | |||
ssh into the server. | |||
Install and/or update <code>snapd</code> following these instructions: {{Internal|snapd#Installation|snapd Installation}} | |||
Remove certbot-auto and any Certbot OS packages. If there are any Certbot packages installed with an OS package manager like apt, dnf, or yum, they should be removed before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager: | |||
<syntaxhighlight lang='bash'> | |||
sudo yum remove certbot | |||
</syntaxhighlight> | |||
Install certbot with snap. As root: | |||
<syntaxhighlight lang='bash'> | |||
sudo snap install --classic certbot | |||
sudo ln -s /snap/bin/certbot /usr/bin/certbot | |||
</syntaxhighlight> | |||
* <span id='B3tl'></span>Note 12/12/2022: Certbot installation failed like here: https://github.com/certbot/certbot/issues/9503. Installed it with: | |||
<syntaxhighlight lang='bash'> | |||
yum install certbot-apache | |||
</syntaxhighlight> | |||
Make sure that the host we're requesting certificates from is online and accessible over HTTP on port 80. Assuming that we request a certificate for pkb.feodorov.com, add the following virtual host at the end of <code>httpd.conf</code>: | |||
<syntaxhighlight lang='xml'> | |||
<VirtualHost <public-ip>:80> | |||
ServerName pkb.feodorov.com | |||
DocumentRoot "/var/www/unsecure-pkb.feodorov.com" | |||
</VirtualHost> | |||
</syntaxhighlight> | |||
Create <code>/var/www/unsecure-pkb.feodorov.com</code>, make it belong to apache:apache and add a simple <code>index.html</code> with a content similar to: | |||
<syntaxhighlight lang='http'> | |||
Unsecure access required by Let's Encrypt for automatic renewal. | |||
<br> | |||
<br> | |||
Go to <a href='https://kb.novaordis.com'>https://kb.novaordis.com</a> | |||
</syntaxhighlight> | |||
In case a redirect host to 443, like the one below, exist in the SSL configuration, comment it out: | |||
<syntaxhighlight lang='xml'> | |||
#<VirtualHost 104.50.201.83:80> | |||
# ServerName kb.novaordis.com | |||
# Redirect / https://kb.novaordis.com/ | |||
#</VirtualHost> | |||
</syntaxhighlight> | |||
'''DO NOT''' remove this virtual site after installation, it is required in the Let's Encrypt automated renewal process. | |||
03/08/2024 note: The browser seems to redirect to https:// but <code>curl http://kb.novaordis.com</code> does not. | |||
Get and install certificates: | |||
<syntaxhighlight lang='bash'> | |||
sudo certbot --apache | |||
</syntaxhighlight> | |||
==Success Logs== | |||
* [[Let's Encrypt kb.novaordis.com 12/12/2022 Success Log]] | |||
* [[Let's Encrypt pkb.feodorov.con Success Log]] | |||
==Results== | |||
The certificate is installed in <code>/etc/letsencrypt/live/pkb.feodorov.com/fullchain.pem</code> | |||
The private key is installed in <code>/etc/letsencrypt/live/pkb.feodorov.com/privkey.pem</code> | |||
<code>/etc/httpd/conf.d/ssl.conf</code> was changed as follows (the corresponding old directives have been removed): | |||
<syntaxhighlight lang='xml'> | |||
<VirtualHost 104.50.201.84:443> | |||
... | |||
ServerAlias pkb.feodorov.com | |||
SSLCertificateFile /etc/letsencrypt/live/pkb.feodorov.com/cert.pem | |||
SSLCertificateKeyFile /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem | |||
Include /etc/letsencrypt/options-ssl-apache.conf | |||
SSLCertificateChainFile /etc/letsencrypt/live/pkb.feodorov.com/chain.pem | |||
</VirtualHost> | |||
</syntaxhighlight> | |||
Debug log: <code>/var/log/letsencrypt/letsencrypt.log</code>. | |||
==Check Certificate== | |||
To check the certificate works, go with a browser to your web site and inspect the certificate. | |||
==Certificate Renewal== | |||
The pkb.feodorov.com installation procedure configured a "snap.certbot.renew.timer" [[Systemd_Concepts#Timers|systemd timer]] that renews the certificate periodically and that can be listed with: | |||
<syntaxhighlight lang='bash'> | |||
systemctl list-timers | |||
</syntaxhighlight> | |||
The corresponding files were | |||
<code>/etc/systemd/system/snap.certbot.renew.service</code>: | |||
<syntaxhighlight lang='text'> | |||
[Unit] | |||
# Auto-generated, DO NOT EDIT | |||
Description=Service for snap application certbot.renew | |||
Requires=var-lib-snapd-snap-certbot-2582.mount | |||
Wants=network.target | |||
After=var-lib-snapd-snap-certbot-2582.mount network.target snapd.apparmor.service | |||
X-Snappy=yes | |||
[Service] | |||
EnvironmentFile=-/etc/environment | |||
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew | |||
SyslogIdentifier=certbot.renew | |||
Restart=no | |||
WorkingDirectory=/var/snap/certbot/2582 | |||
TimeoutStopSec=30 | |||
Type=oneshot | |||
</syntaxhighlight> | |||
and <code>snap.certbot.renew.timer</code>: | |||
<syntaxhighlight lang='text'> | |||
[Unit] | |||
# Auto-generated, DO NOT EDIT | |||
Description=Timer renew for snap application certbot.renew | |||
Requires=var-lib-snapd-snap-certbot-2582.mount | |||
After=var-lib-snapd-snap-certbot-2582.mount | |||
X-Snappy=yes | |||
[Timer] | |||
Unit=snap.certbot.renew.service | |||
OnCalendar=*-*-* 04:38 | |||
OnCalendar=*-*-* 19:17 | |||
[Install] | |||
WantedBy=timers.target | |||
</syntaxhighlight> | |||
kb.novaordis.com didn't, probably because I did not use the snap-installed certbot. | |||
==Test Automatic Renewal== | |||
<syntaxhighlight lang='bash'> | |||
certbot renew --dry-run | |||
</syntaxhighlight> | |||
==Manual Renewal== | |||
On the machine, as root: | |||
<syntaxhighlight lang='bash'> | |||
certbot renew | |||
</syntaxhighlight> | |||
==Enable Automatic Renewal by Hand== | |||
===Create the Service Unit File=== | |||
<code>/etc/systemd/system/certbot-renewal.service</code> | |||
<syntaxhighlight lang='text'> | |||
[Unit] | |||
Description=Certbot Renewal | |||
[Service] | |||
ExecStart=/usr/bin/certbot renew --post-hook "systemctl restart httpd" | |||
</syntaxhighlight> | |||
For more details about service unit file, see {{Internal|Systemd_Concepts#Service_Unit_File|Service Unit File}} | |||
===Create the Timer Unit File=== | |||
<code>/etc/systemd/system/certbot-renewal.timer</code> | |||
<syntaxhighlight lang='text'> | |||
[Unit] | |||
Description=Timer for Certbot Renewal | |||
[Timer] | |||
OnBootSec=300 | |||
OnUnitActiveSec=1w | |||
[Install] | |||
WantedBy=multi-user.target | |||
</syntaxhighlight> | |||
For more details about timer unit file, see: {{Internal|Systemd_Concepts#Timer_Unit_File|Timer Unit File}} | |||
===Start the Timer=== | |||
<syntaxhighlight lang='bash'> | |||
systemctl start certbot-renewal.timer | |||
</syntaxhighlight> | |||
===Enable the Timer at Boot=== | |||
<syntaxhighlight lang='bash'> | |||
systemctl enable certbot-renewal.timer | |||
</syntaxhighlight> | |||
===Show Status Information about the Timer=== | |||
<syntaxhighlight lang='bash'> | |||
systemctl status certbot-renewal.timer | |||
</syntaxhighlight> | |||
==Wildcard Certificate Installation Procedure== | ==Wildcard Certificate Installation Procedure== | ||
<font color='darkkhaki'>TODO.</font> |
Latest revision as of 03:29, 9 March 2024
Internal
Overview
Let's Encrypt provides free SSL certificates for web sites. The installation of those certificates is performed with certbot, as described in the Procedure section below.
Procedure
Default Certificate Installation Procedure
Prerequisites:
- ssh access to the machine running the httpd server
- sudo privileges
ssh into the server.
Install and/or update snapd
following these instructions:
Remove certbot-auto and any Certbot OS packages. If there are any Certbot packages installed with an OS package manager like apt, dnf, or yum, they should be removed before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager:
sudo yum remove certbot
Install certbot with snap. As root:
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
- Note 12/12/2022: Certbot installation failed like here: https://github.com/certbot/certbot/issues/9503. Installed it with:
yum install certbot-apache
Make sure that the host we're requesting certificates from is online and accessible over HTTP on port 80. Assuming that we request a certificate for pkb.feodorov.com, add the following virtual host at the end of httpd.conf
:
<VirtualHost <public-ip>:80>
ServerName pkb.feodorov.com
DocumentRoot "/var/www/unsecure-pkb.feodorov.com"
</VirtualHost>
Create /var/www/unsecure-pkb.feodorov.com
, make it belong to apache:apache and add a simple index.html
with a content similar to:
Unsecure access required by Let's Encrypt for automatic renewal.
<br>
<br>
Go to <a href='https://kb.novaordis.com'>https://kb.novaordis.com</a>
In case a redirect host to 443, like the one below, exist in the SSL configuration, comment it out:
#<VirtualHost 104.50.201.83:80>
# ServerName kb.novaordis.com
# Redirect / https://kb.novaordis.com/
#</VirtualHost>
DO NOT remove this virtual site after installation, it is required in the Let's Encrypt automated renewal process.
03/08/2024 note: The browser seems to redirect to https:// but curl http://kb.novaordis.com
does not.
Get and install certificates:
sudo certbot --apache
Success Logs
Results
The certificate is installed in /etc/letsencrypt/live/pkb.feodorov.com/fullchain.pem
The private key is installed in /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem
/etc/httpd/conf.d/ssl.conf
was changed as follows (the corresponding old directives have been removed):
<VirtualHost 104.50.201.84:443>
...
ServerAlias pkb.feodorov.com
SSLCertificateFile /etc/letsencrypt/live/pkb.feodorov.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/pkb.feodorov.com/chain.pem
</VirtualHost>
Debug log: /var/log/letsencrypt/letsencrypt.log
.
Check Certificate
To check the certificate works, go with a browser to your web site and inspect the certificate.
Certificate Renewal
The pkb.feodorov.com installation procedure configured a "snap.certbot.renew.timer" systemd timer that renews the certificate periodically and that can be listed with:
systemctl list-timers
The corresponding files were
/etc/systemd/system/snap.certbot.renew.service
:
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-2582.mount
Wants=network.target
After=var-lib-snapd-snap-certbot-2582.mount network.target snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/2582
TimeoutStopSec=30
Type=oneshot
and snap.certbot.renew.timer
:
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-2582.mount
After=var-lib-snapd-snap-certbot-2582.mount
X-Snappy=yes
[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 04:38
OnCalendar=*-*-* 19:17
[Install]
WantedBy=timers.target
kb.novaordis.com didn't, probably because I did not use the snap-installed certbot.
Test Automatic Renewal
certbot renew --dry-run
Manual Renewal
On the machine, as root:
certbot renew
Enable Automatic Renewal by Hand
Create the Service Unit File
/etc/systemd/system/certbot-renewal.service
[Unit]
Description=Certbot Renewal
[Service]
ExecStart=/usr/bin/certbot renew --post-hook "systemctl restart httpd"
For more details about service unit file, see
Create the Timer Unit File
/etc/systemd/system/certbot-renewal.timer
[Unit]
Description=Timer for Certbot Renewal
[Timer]
OnBootSec=300
OnUnitActiveSec=1w
[Install]
WantedBy=multi-user.target
For more details about timer unit file, see:
Start the Timer
systemctl start certbot-renewal.timer
Enable the Timer at Boot
systemctl enable certbot-renewal.timer
Show Status Information about the Timer
systemctl status certbot-renewal.timer
Wildcard Certificate Installation Procedure
TODO.