How to set up SSL certificate with Let's Encrypt

From Kolmisoft Wiki
Jump to navigationJump to search

About Let's Encrypt

Let's Encrypt provides free valid SSL certificates


Before proceeding

To proceed the following is needed:

  • Domain name pointed to switch IP (it is not possible to create a Let's Encrypt SSL certificate for IP address)
  • Email address to get notifications from Let's Encrypt
  • SSH access to the server with root privileges



Make sure that firewalls are not blocking the following domains used for the creation and update of certificates:

acme-v01.api.letsencrypt.org

acme-staging.api.letsencrypt.org

acme-v02.api.letsencrypt.org

acme-staging-v02.api.letsencrypt.org

Installation

In the example below let's assume that the domain name is example.com

Before installation, it is a good idea to backup /etc/httpd folder

cp -a /etc/httpd/ /usr/local/mor/backups/



Method 1 (using yum packages)

Based on this guide

yum install certbot python2-certbot-apache mod_ssl

if installation is completed without errors, run certbot command (prepare to answer yes/no questions and enter the domain name(s) and email)

certbot --apache 


If the command is completed successfully, going to https://example.com/billing should show a secure connection

if everything is OK, test certificate renewal and install renewal cron

certbot renew --dry-run

If successful it should show at the end

Congratulations, all simulated renewals succeeded: 
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Create a cron to renew certificates automatically

echo "20 0,12 * * * root /usr/sbin/iptables -D MOR-BLOCKED-COUNTRIES -m set --match-set mor_us_ips src -j DROP && /usr/bin/certbot renew" > /etc/cron.d/certbot_renewal_cron
chmod 644 /etc/cron.d/certbot_renewal_cron
service crond restart

This will try to renew the certificate two times every day. Certbot will try to actually renew certificates once the expiration day will be less than 30 days


If you get an error:

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

That means there is a problem with <VirtualHost *:80> configuration in /etc/httpd/httpd.conf

Check with:

apachectl -t -D DUMP_VHOSTS


NOTE: this procedure overwrites /usr/lib/systemd/system/httpd.service

Check with:

grep -i private /usr/lib/systemd/system/httpd.service

If you see PrivateTmp=true and need false, do:

sed -i "s|PrivateTmp=true\+|PrivateTmp=false|g" /usr/lib/systemd/system/httpd.service
systemctl daemon-reload && systemctl restart httpd.service





Method 2 (using snap management system)

To streamline the install process across different Linux Distributions, the Let's Encrypt official guide use snapd management system

If you want to use snaps, please use this guide:

https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html

Using this installation method, automatic renewal will be configured automatically (it will be systemd timer, not a simple cron)

systemctl list-timers 
NEXT                         LEFT       LAST                         PASSED               UNIT                         ACTIVATES
Tr 2021-10-06 12:42:00 CEST  41min left Tr 2021-10-06 05:11:01 CEST  6h ago               snap.certbot.renew.timer     snap.certbot.renew.service



Logs

Let's encrypt log

 /var/log/letsencrypt/letsencrypt.log



Accessing switch without /billing suffix

Follow the guide here

Use https instead of http and domain names instead of 127.0.0.1