Let's Encrypt: Difference between revisions
| Line 68: | Line 68: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Success | ==Success Logs== | ||
* [Let's Encrypt kb.novaordis.com 12/12/2022 Success Log] | |||
* [Let's Encrypt pkb.feodorov.con Success Log] | |||
==Results== | ==Results== | ||
Revision as of 04:37, 13 December 2022
Internal
Overview
Let's Encrypt provides free SSL certificates for web sites. The installation of those certificates is performed with certbot, as described in the Procedure section below.
Procedure
Default Certificate Installation Procedure
Prerequisites:
- ssh access to the machine running the httpd server
- sudo privileges
ssh into the server.
Install and/or update snapd following these instructions:
Remove certbot-auto and any Certbot OS packages. If there are any Certbot packages installed with an OS package manager like apt, dnf, or yum, they should be removed before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager:
sudo yum remove certbot
Install certbot with snap. As root:
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
- Note 12/12/2022: Certbot installation failed like here: https://github.com/certbot/certbot/issues/9503. Installed it with:
yum install certbot-apache
Make sure that the host we're requesting certificates from is online and accessible over HTTP on port 80. Assuming that we request a certificate for pkb.feodorov.com, add the following virtual host at the end of httpd.conf:
<VirtualHost <public-ip>:80>
ServerName pkb.feodorov.com
DocumentRoot "/var/www/unsecure-pkb.feodorov.com"
</VirtualHost>
Create /var/www/unsecure-pkb.feodorov.com, make it belong to apache:apache and add a simple index.html with a content similar to:
Unsecure access required by Let's Encrypt for automatic renewal.
<br>
<br>
Go to <a href='https://kb.novaordis.com'>https://kb.novaordis.com</a>
In case a redirect host to 443, like the one below, exist in the SSL configuration, comment it out:
#<VirtualHost 104.50.201.83:80>
# ServerName kb.novaordis.com
# Redirect / https://kb.novaordis.com/
#</VirtualHost>
DO NOT remove this virtual site after installation, it is required in the Let's Encrypt automated renewal process.
Get and install certificates:
sudo certbot --apache
Success Logs
- [Let's Encrypt kb.novaordis.com 12/12/2022 Success Log]
- [Let's Encrypt pkb.feodorov.con Success Log]
Results
The certificate is installed in /etc/letsencrypt/live/pkb.feodorov.com/fullchain.pem
The private key is installed in /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem
/etc/httpd/conf.d/ssl.conf was changed as follows (the corresponding old directives have been removed):
<VirtualHost 104.50.201.84:443>
...
ServerAlias pkb.feodorov.com
SSLCertificateFile /etc/letsencrypt/live/pkb.feodorov.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/pkb.feodorov.com/chain.pem
</VirtualHost>
Debug log: /var/log/letsencrypt/letsencrypt.log.
The installation procedure also configures a "snap.certbot.renew.timer" systemd timer that renews the certificate periodically and that can be listed with:
systemctl list-timers
Successfully deployed certificate for pkb.feodorov.com to /etc/httpd/conf.d/ssl.conf. How? How can I check it works?
Test Automatic Renewal
certbot renew --dry-run
Wildcard Certificate Installation Procedure
TODO.