Let's Encrypt: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(28 intermediate revisions by the same user not shown)
Line 28: Line 28:
sudo snap install --classic certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
</syntaxhighlight>
* <span id='B3tl'></span>Note 12/12/2022: Certbot installation failed like here: https://github.com/certbot/certbot/issues/9503. Installed it with:
<syntaxhighlight lang='bash'>
      yum install certbot-apache
</syntaxhighlight>
</syntaxhighlight>


Line 37: Line 42:
</VirtualHost>
</VirtualHost>
</syntaxhighlight>
</syntaxhighlight>
Create <code>/var/www/unsecure-pkb.feodorov.com</code>, make it belong to apache:apache and add a simple <code>index.html</code>.


Get and install certificates:
Create <code>/var/www/unsecure-pkb.feodorov.com</code>, make it belong to apache:apache and add a simple <code>index.html</code> with a content similar to:


<syntaxhighlight lang='bash'>
<syntaxhighlight lang='http'>
sudo certbot --apache
Unsecure access required by Let's Encrypt for automatic renewal.
<br>
<br>
Go to <a href='https://kb.novaordis.com'>https://kb.novaordis.com</a>
</syntaxhighlight>
</syntaxhighlight>


Success log:
In case a redirect host to 443, like the one below, exist in the SSL configuration, comment it out:
<syntaxhighlight lang='text'>
 
[root@pkb ~]# sudo certbot --apache
<syntaxhighlight lang='xml'>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
#<VirtualHost 104.50.201.83:80>
#  ServerName kb.novaordis.com
#    Redirect / https://kb.novaordis.com/
#</VirtualHost>
</syntaxhighlight>


Which names would you like to activate HTTPS for?
'''DO NOT''' remove this virtual site after installation, it is required in the Let's Encrypt automated renewal process.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: pkb.feodorov.com
2: ...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for pkb.feodorov.com


Successfully received certificate.
03/08/2024 note: The browser seems to redirect to https:// but <code>curl http://kb.novaordis.com</code> does not.
Certificate is saved at: /etc/letsencrypt/live/pkb.feodorov.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem
This certificate expires on 2022-02-16.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.


Deploying certificate
Get and install certificates:
Successfully deployed certificate for pkb.feodorov.com to /etc/httpd/conf.d/ssl.conf
Congratulations! You have successfully enabled HTTPS on https://pkb.feodorov.com


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<syntaxhighlight lang='bash'>
If you like Certbot, please consider supporting our work by:
sudo certbot --apache
* Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
* Donating to EFF:                    https://eff.org/donate-le
</syntaxhighlight>
</syntaxhighlight>
==Success Logs==
* [[Let's Encrypt kb.novaordis.com 12/12/2022 Success Log]]
* [[Let's Encrypt pkb.feodorov.con Success Log]]


==Results==
==Results==
Line 96: Line 96:
Debug log: <code>/var/log/letsencrypt/letsencrypt.log</code>.
Debug log: <code>/var/log/letsencrypt/letsencrypt.log</code>.


The installation procedure also configures a "snap.certbot.renew.timer" [[Systemd_Concepts#Timers|systemd timer]] that renews the certificate periodically and that can be listed with:
==Check Certificate==
To check the certificate works, go with a browser to your web site and inspect the certificate.
==Certificate Renewal==
 
The pkb.feodorov.com installation procedure configured a "snap.certbot.renew.timer" [[Systemd_Concepts#Timers|systemd timer]] that renews the certificate periodically and that can be listed with:
<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
systemctl list-timers
systemctl list-timers
</syntaxhighlight>
</syntaxhighlight>


<font color=darkgray>Successfully deployed certificate for pkb.feodorov.com to /etc/httpd/conf.d/ssl.conf. How? How can I check it works?</font>
The corresponding files were
 
<code>/etc/systemd/system/snap.certbot.renew.service</code>:
 
<syntaxhighlight lang='text'>
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-2582.mount
Wants=network.target
After=var-lib-snapd-snap-certbot-2582.mount network.target snapd.apparmor.service
X-Snappy=yes
 
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/2582
TimeoutStopSec=30
Type=oneshot
</syntaxhighlight>
 
and <code>snap.certbot.renew.timer</code>:
 
<syntaxhighlight lang='text'>
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-2582.mount
After=var-lib-snapd-snap-certbot-2582.mount
X-Snappy=yes
 
[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 04:38
OnCalendar=*-*-* 19:17
 
[Install]
WantedBy=timers.target
</syntaxhighlight>
 
kb.novaordis.com didn't, probably because I did not use the snap-installed certbot.


==Test Automatic Renewal==
==Test Automatic Renewal==
<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
certbot renew --dry-run
certbot renew --dry-run
</syntaxhighlight>
==Manual Renewal==
On the machine, as root:
<syntaxhighlight lang='bash'>
certbot renew
</syntaxhighlight>
==Enable Automatic Renewal by Hand==
===Create the Service Unit File===
<code>/etc/systemd/system/certbot-renewal.service</code>
<syntaxhighlight lang='text'>
[Unit]
Description=Certbot Renewal
[Service]
ExecStart=/usr/bin/certbot renew --post-hook "systemctl restart httpd"
</syntaxhighlight>
For more details about service unit file, see {{Internal|Systemd_Concepts#Service_Unit_File|Service Unit File}}
===Create the Timer Unit File===
<code>/etc/systemd/system/certbot-renewal.timer</code>
<syntaxhighlight lang='text'>
[Unit]
Description=Timer for Certbot Renewal
[Timer]
OnBootSec=300
OnUnitActiveSec=1w
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
</syntaxhighlight>


==Post-Installation==
For more details about timer unit file, see: {{Internal|Systemd_Concepts#Timer_Unit_File|Timer Unit File}}


The HTTP virtual host and HTTP access on 80, including in iptables, can be removed.
===Start the Timer===
<syntaxhighlight lang='bash'>
systemctl start certbot-renewal.timer
</syntaxhighlight>
 
===Enable the Timer at Boot===
<syntaxhighlight lang='bash'>
systemctl enable certbot-renewal.timer
</syntaxhighlight>
===Show Status Information about the Timer===
<syntaxhighlight lang='bash'>
systemctl status certbot-renewal.timer
</syntaxhighlight>


==Wildcard Certificate Installation Procedure==
==Wildcard Certificate Installation Procedure==
<font color='darkkhaki'>TODO.</font>

Latest revision as of 03:29, 9 March 2024

Internal

Overview

Let's Encrypt provides free SSL certificates for web sites. The installation of those certificates is performed with certbot, as described in the Procedure section below.

Procedure

Default Certificate Installation Procedure

Prerequisites:

  • ssh access to the machine running the httpd server
  • sudo privileges

ssh into the server.

Install and/or update snapd following these instructions:

snapd Installation

Remove certbot-auto and any Certbot OS packages. If there are any Certbot packages installed with an OS package manager like apt, dnf, or yum, they should be removed before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager:

sudo yum remove certbot

Install certbot with snap. As root:

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
      yum install certbot-apache

Make sure that the host we're requesting certificates from is online and accessible over HTTP on port 80. Assuming that we request a certificate for pkb.feodorov.com, add the following virtual host at the end of httpd.conf:

<VirtualHost <public-ip>:80>
    ServerName pkb.feodorov.com
    DocumentRoot "/var/www/unsecure-pkb.feodorov.com"
</VirtualHost>

Create /var/www/unsecure-pkb.feodorov.com, make it belong to apache:apache and add a simple index.html with a content similar to:

Unsecure access required by Let's Encrypt for automatic renewal.
<br>
<br>
Go to <a href='https://kb.novaordis.com'>https://kb.novaordis.com</a>

In case a redirect host to 443, like the one below, exist in the SSL configuration, comment it out:

#<VirtualHost 104.50.201.83:80>
#   ServerName kb.novaordis.com
#    Redirect / https://kb.novaordis.com/
#</VirtualHost>

DO NOT remove this virtual site after installation, it is required in the Let's Encrypt automated renewal process.

03/08/2024 note: The browser seems to redirect to https:// but curl http://kb.novaordis.com does not.

Get and install certificates:

sudo certbot --apache

Success Logs

Results

The certificate is installed in /etc/letsencrypt/live/pkb.feodorov.com/fullchain.pem

The private key is installed in /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem

/etc/httpd/conf.d/ssl.conf was changed as follows (the corresponding old directives have been removed):

<VirtualHost 104.50.201.84:443>
 ...
 ServerAlias pkb.feodorov.com
 SSLCertificateFile /etc/letsencrypt/live/pkb.feodorov.com/cert.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/pkb.feodorov.com/privkey.pem
 Include /etc/letsencrypt/options-ssl-apache.conf
 SSLCertificateChainFile /etc/letsencrypt/live/pkb.feodorov.com/chain.pem
</VirtualHost>

Debug log: /var/log/letsencrypt/letsencrypt.log.

Check Certificate

To check the certificate works, go with a browser to your web site and inspect the certificate.

Certificate Renewal

The pkb.feodorov.com installation procedure configured a "snap.certbot.renew.timer" systemd timer that renews the certificate periodically and that can be listed with:

systemctl list-timers

The corresponding files were

/etc/systemd/system/snap.certbot.renew.service:

[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-2582.mount
Wants=network.target
After=var-lib-snapd-snap-certbot-2582.mount network.target snapd.apparmor.service
X-Snappy=yes

[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/2582
TimeoutStopSec=30
Type=oneshot

and snap.certbot.renew.timer:

[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-2582.mount
After=var-lib-snapd-snap-certbot-2582.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 04:38
OnCalendar=*-*-* 19:17

[Install]
WantedBy=timers.target

kb.novaordis.com didn't, probably because I did not use the snap-installed certbot.

Test Automatic Renewal

certbot renew --dry-run

Manual Renewal

On the machine, as root:

certbot renew

Enable Automatic Renewal by Hand

Create the Service Unit File

/etc/systemd/system/certbot-renewal.service

[Unit]
Description=Certbot Renewal

[Service]
ExecStart=/usr/bin/certbot renew --post-hook "systemctl restart httpd"

For more details about service unit file, see

Service Unit File

Create the Timer Unit File

/etc/systemd/system/certbot-renewal.timer

[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=1w

[Install]
WantedBy=multi-user.target

For more details about timer unit file, see:

Timer Unit File

Start the Timer

systemctl start certbot-renewal.timer

Enable the Timer at Boot

systemctl enable certbot-renewal.timer

Show Status Information about the Timer

systemctl status certbot-renewal.timer

Wildcard Certificate Installation Procedure

TODO.