Let's Encrypt

Let's Encrypt provides free SSL certificates for web sites. The installation of those certificates is performed with certbot, as described in the Procedure section below.


Default Certificate Installation Procedure


  • ssh access to the machine running the httpd server
  • sudo privileges

ssh into the server.

Install and/or update snapd following these instructions:

snapd Installation

Remove certbot-auto and any Certbot OS packages. If there are any Certbot packages installed with an OS package manager like apt, dnf, or yum, they should be removed before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager:

sudo yum remove certbot

Install certbot with snap. As root:

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
      yum install certbot-apache

Make sure that the host we're requesting certificates from is online and accessible over HTTP on port 80. Assuming that we request a certificate for pkb.feodorov.com, add the following virtual host at the end of httpd.conf:

<VirtualHost <public-ip>:80>
    ServerName pkb.feodorov.com
    DocumentRoot "/var/www/unsecure-pkb.feodorov.com"

Create /var/www/unsecure-pkb.feodorov.com, make it belong to apache:apache and add a simple index.html with a content similar to:

Unsecure access required by Let's Encrypt for automatic renewal.
Go to <a href='https://kb.novaordis.com'>https://kb.novaordis.com</a>

In case a redirect host to 443, like the one below, exist in the SSL configuration, comment it out:

#   ServerName kb.novaordis.com
#    Redirect / https://kb.novaordis.com/

DO NOT remove this virtual site after installation, it is required in the Let's Encrypt automated renewal process.

Get and install certificates:

sudo certbot --apache

Success Logs


The certificate is installed in /etc/letsencrypt/live/pkb.feodorov.com/fullchain.pem

The private key is installed in /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem

/etc/httpd/conf.d/ssl.conf was changed as follows (the corresponding old directives have been removed):

 ServerAlias pkb.feodorov.com
 SSLCertificateFile /etc/letsencrypt/live/pkb.feodorov.com/cert.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem
 Include /etc/letsencrypt/options-ssl-apache.conf
 SSLCertificateChainFile /etc/letsencrypt/live/pkb.feodorov.com/chain.pem

Debug log: /var/log/letsencrypt/letsencrypt.log.

Check Certificate

To check the certificate works, go with a browser to your web site and inspect the certificate.

Certificate Renewal

The pkb.feodorov.com installation procedure configured a "snap.certbot.renew.timer" systemd timer that renews the certificate periodically and that can be listed with:

systemctl list-timers

The corresponding files were


# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
After=var-lib-snapd-snap-certbot-2582.mount network.target snapd.apparmor.service

ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew

and snap.certbot.renew.timer:

# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew

OnCalendar=*-*-* 04:38
OnCalendar=*-*-* 19:17


kb.novaordis.com didn't, probably because I did not use the snap-installed certbot.

Test Automatic Renewal

certbot renew --dry-run

Manual Renewal

On the machine, as root:

certbot renew

Enable Automatic Renewal by Hand

Create the Service Unit File


Description=Certbot Renewal

ExecStart=/usr/bin/certbot renew --post-hook "systemctl restart httpd"

For more details about service unit file, see

Service Unit File

Create the Timer Unit File

For more details about timer unit file, see

Timer Unit File

Wildcard Certificate Installation Procedure