How to set up SSL certificate with Let's Encrypt
About Let's Encrypt
Let's Encrypt provides free valid SSL certificates
Before proceeding
To proceed the following is needed:
- Domain name pointed to switch IP (it is not possible to create a Let's Encrypt SSL certificate for IP address)
- Email address to get notifications from Let's Encrypt
- SSH access to switch server with root privileges
Instalation
In the example below let's assume that the domain name is example.com
Before installation, it is a good idea to backup /etc/httpd folder
cp -a /etc/httpd/ /usr/local/mor/backups/
Method 1 (using yum packages)
Based on this guide
yum install certbot python2-certbot-apache mod_ssl
if installation is completed without errors, run certbot command (prepare to answer yes/no questions and enter the domain name(s) and email)
certbot --apache
If the command completed successfully, going to https://example.com/billing should show a secure connection
if everything is OK, test certificate renewal and install renewal cron
certbot renew --dry-run
If successful it should show at the end
Congratulations, all simulated renewals succeeded: Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/example.com/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a cron to renew certificates automatically
echo "20 0,12 * * * certbot renew > /var/log/certbot_renewal_cron.log 2&>1" > /etc/cron.d/certbot_renewal_cron chmod 600 /etc/cron.d/certbot_renewal_cron service crond restart
This will try to renew the certificate two times every day. Certbot will try to actually renew certificates once the expiration day will be less than 30 days
Method 2 (using snap management system)
To streamline the install process across different Linux Distributions, the Let's Encrypt official guide use snapd management system If you want to use snaps, please use this guide:
https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html
Using this installation method, automatic renewal will be configured automatically (it will be systemd timer, not a simple cron)
systemctl list-timers NEXT LEFT LAST PASSED UNIT ACTIVATES Tr 2021-10-06 12:42:00 CEST 41min left Tr 2021-10-06 05:11:01 CEST 6h ago snap.certbot.renew.timer snap.certbot.renew.service
Logs
Let's encrypt log
/var/log/letsencrypt/letsencrypt.log
Accessing switch without /billing suffix
Follow the guide here
Use https instead of http and domain names instead of 127.0.0.1