Let's Encrypt

From NovaOrdis Knowledge Base
Revision as of 01:36, 18 November 2021 by Ovidiu (talk | contribs) (→‎Results)
Jump to navigation Jump to search

Internal

Overview

Let's Encrypt provides free SSL certificates for web sites. The installation of those certificates is performed with certbot, as described in the Procedure section below.

Procedure

Default Certificate Installation Procedure

Prerequisites:

  • ssh access to the machine running the httpd server
  • sudo privileges

ssh into the server.

Install and/or update snapd following these instructions:

snapd Installation

Remove certbot-auto and any Certbot OS packages. If there are any Certbot packages installed with an OS package manager like apt, dnf, or yum, they should be removed before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager:

sudo yum remove certbot

Install certbot with snap. As root:

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Make sure that the host we're requesting certificates from is online and accessible over HTTP on port 80. Assuming that we request a certificate for pkb.feodorov.com, add the following virtual host at the end of httpd.conf:

<VirtualHost <public-ip>:80>
    ServerName pkb.feodorov.com
    DocumentRoot "/var/www/test1"
</VirtualHost>

Create /var/www/test1, make it belong to apache:apache.

Get and install certificates:

sudo certbot --apache

Success log:

[root@pkb ~]# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: pkb.feodorov.com
2: ...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for pkb.feodorov.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/pkb.feodorov.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem
This certificate expires on 2022-02-16.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for pkb.feodorov.com to /etc/httpd/conf.d/ssl.conf
Congratulations! You have successfully enabled HTTPS on https://pkb.feodorov.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le

Results

The certificate is installed in /etc/letsencrypt/live/pkb.feodorov.com/fullchain.pem

The private key is installed in /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem

/etc/httpd/conf.d/ssl.conf was changed as follows (the corresponding old directives have been removed):

<VirtualHost 104.50.201.84:443>
 ...
 ServerAlias pkb.feodorov.com
 SSLCertificateFile /etc/letsencrypt/live/pkb.feodorov.com/cert.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem
 Include /etc/letsencrypt/options-ssl-apache.conf
 SSLCertificateChainFile /etc/letsencrypt/live/pkb.feodorov.com/chain.pem
</VirtualHost>

Debug log: /var/log/letsencrypt/letsencrypt.log.

The installation procedure also configures a "snap.certbot.renew.timer" systemd timer that renews the certificate periodically and that can be listed with:

systemctl list-timers

Successfully deployed certificate for pkb.feodorov.com to /etc/httpd/conf.d/ssl.conf. How? How can I check it works?

Test Automatic Renewal

Post-Installation

The HTTP virtual host and HTTP access on 80, including in iptables, can be removed.

Wildcard Certificate Installation Procedure