How to set up SSL certificate with Let's Encrypt

From Kolmisoft Wiki
Revision as of 10:10, 6 October 2021 by Gilbertas (talk | contribs) (Created page with '== About Let's Encrypt == Let's Encrypt provides free valid SSL certificates == Before proceeding == To proceed the following is needed: * Domain name pointed to switch IP (it i…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

About Let's Encrypt

Let's Encrypt provides free valid SSL certificates

Before proceeding

To proceed the following is needed:

  • Domain name pointed to switch IP (it is not possible to create a Let's Encrypt SSL certificate for IP address)
  • Email address to get notifications from Let's Encrypt
  • SSH access to switch server with root privileges

Instalation

In example bellow let's assume that domain name is exanple.com Before installation, it is a good idea to backup /etc/httpd folder {code} cp -a /etc/httpd/ /usr/local/mor/backups/ {code}

Method 1 (using yum packages)

Based on this guide

yum install certbot python2-certbot-apache mod_ssl
if no, errors, run certbot command (prepare to answer yes/no questions and enter the domain name(s) and email)
certbot --apache 


If the command complete successfully, going to https://example.com/billing should show a secure connection

if everything is OK, test certificate renewal and install renewal cron

certbot renew --dry-run

If successful it should show at the end

Congratulations, all simulated renewals succeeded: 
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Create a cron to renew certificates automatically

echo "20 0,12 * * * certbot renew > /var/log/certbot_renewal_cron.log 2&>1" > /etc/cron.d/certbot_renewal_cron
chmod 600 /etc/cron.d/certbot_renewal_cron
service crond restart

This will try to renew the certificate two times every day. Certbot will try to actually renew certificates once the expiration day will be less than 30 days


Method 2 (using snap management system)

To streamline the install process across different Linux Distributions, the Let's Encrypt official guide use snapd management system If you want to use snaps, please use this guide:

https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html

Using this installation method, automatic renewal will be configured automatically (it will be systemd timer, not a simple cron)

systemctl list-timers 
NEXT                         LEFT       LAST                         PASSED               UNIT                         ACTIVATES
Tr 2021-10-06 12:42:00 CEST  41min left Tr 2021-10-06 05:11:01 CEST  6h ago               snap.certbot.renew.timer     snap.certbot.renew.service

Logs

Let's encrypt log

 /var/log/letsencrypt/letsencrypt.log

Accessing switch without /billing suffix

Follow the guide here

Use https instead of http and domain names instead of 127.0.0.1