Let’s Encrypt is a fantastic project put together by the non-profit Internet Security Research Group (ISRG). It is a flexible tool for setting up SSL certificates for your web sites.
To install on Rocky Linux 8 execute:
yum -y install epel-release yum -y install httpd mod_ssl certbot
To install on Centos 7 execute:
yum -y install epel-release yum -y install httpd mod_ssl python-certbot-apache
There are many ways to generate certificates for your web sites. My preferred method is to execute the following command on my web server. The following will create a cert for a web site with the names “www.mydomain.com” and “mydomain.com” If you have additional domain/site names for the web site, add them by putting in additional “-d www.domainname.com” entries onto the end of the command below. If the web site is in the home directory, update /var/www/html to point to the correct directory
certbot certonly --agree-tos --webroot --webroot-path /var/www/html --email email@example.com -d www.mydomain.com -d mydomain.com
Follow the prompts given.
When it is done, add the following lines to your configuration file for your web server. Replace www.mydomain.com with the correct name for your web server
SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem SSLCACertificateFile /etc/letsencrypt/live/www.mydomain.com/chain.pem
(I am going to assume you are familiar with how to set up apache to use SSL certs. If you are not, then you need to stop and go read up on that as the above lines are not the only things you need to set up a secure web site)
If you are note sure if your web server is set up correctly or this is not a production server add
to the “certbot certonly” command above to get a test certificate.
Important note: If you request a production certificate too many times with problems with your web server you will be locked out of making certificate requests for several hours. the –dry-run option is a good way to make sure things are working correctly before you request a production certificate.
Intranet – or Behind the Firewall Certificates
If you have a site that is behind your firewall to be used “internally” only – but need a certificate, you will need to be able to update your public dns on an immediate basis.
certbot --manual --preferred-challenges dns certonly -d somename.internal.mydomain.com
You should get the following:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Requesting a certificate for somename.internal.mydomain.com Performing the following challenges: dns-01 challenge for somename.internal.mydomain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.somename.internal.mydomain.com with the following value: pnoBrUsxmZItluqGcsTvnkzktO0xPKBRxcyN4Cu6wI Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
At this point DONT press enter – using a different computer or session add the indicated TXT record in your dns.
Confirm using the dig command (via another computer or bash prompt)
dig @my.public.dns.server +short -t TXT _acme-challenge.somename.internal.mydomain.com
and you should get one line back:
If you dont get that line back – confirm your dns has been updated correctly. Depending on the software/system that is being used by the DNS server it may take a few minutes to update. Or, you typoed something in setting up the dns TXT
Now, go back to where you left off with “Press Enter To Continue” and press enter now
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/somename.internal.mydomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/somename.internal.mydomain.com/privkey.pem Your certificate will expire on 2021-08-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
You have your cert!!!
Renewing the Certificates
The certificates are only good for 90 days so you need to set up to update the certificates. Create a file named /etc/cron.weekly/certrenew and put the following lines in it. This will renew all certs you have on this system
#!/bin/bash /bin/certbot renew
certbot revoke --cert-path /etc/letsencrypt/archive/DOMAINNAME/cert1.pem
If the cert is expired you will have to use the command
then follow the prompts