How to install certbot [Let's Encrypt] on Rocky Linux 9


Rocky Linux

Author: Omer Cakmak
Reviewer: Deepak Prasad

Steps to install certbot on Rocky Linux 9?

Let's Encrypt is a free, non-profit SSL certificate service supported by the Internet Security Research Group, a certificate authority that distributes X.509 certificates. It is designed to eliminate and automate complex processes that require manual processes such as certificate validation, signing, installation and renewal. It has been in service since April 12, 2016.

All SSL certificates are acquired annually, but Let's Encrypt is installed every 3 months and automatically renewed every 3 months. It has gained importance especially after Google started to mark websites without SSL certificates as "Unsafe". No security fee is paid for Let's Encrypt.

After the end of life for Centos, Rocky Linux became available. We will install the necessary packages for Let's Encrypt on Rocky Linux 9.

 

Enable EPEL Repository

We will describe Let's Encrypt for websites served with both Apache and Nginx. For both, the EPEL repo must be activated.

$ sudo dnf install epel-release mod_ssl -y

 

Install certbot and generate certs

Generate certs using certbot for Apache

The certbot tool will scan the Apache configuration files on the server and provides the option to generate certificates for any virtual hosts configured on the system. It will then generate the certificate and add virtual host entries to the Apache configuration specifically for the corresponding web sites.

If you are serving your website with apache, you should install the following packages;

sudo dnf install certbot python3-certbot-apache -y

The installation of the packages is complete. We will use the certbot command for the Letsencrypt installation steps. This command has 3 different uses, you can choose your wish:

  • General/Simple use:  certbot --apache
  • Usage by specifying a website:  certbot --apache -d website.com
  • Multiple websites are written after the command:  certbot --apache -d website.com -d www.website2.com

We proceed with the simple command:

[root@rocky9 foc]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Let's Encrypt will ask for an email address to match the certificate:

Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): foc@golinuxcloud.com

Agree to the Terms of Use:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Would you like to share your email address with the Electronic Frontier Foundation after your first certificate has been successfully issued?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.

Enter your website address:

Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.golinuxcloud.com
Requesting a certificate for www.golinuxcloud.com


Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.golinuxcloud.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.golinuxcloud.com/privkey.pem
This certificate expires on 2023-01-13.
These files will be updated when the certificate renews.
Cerbot has set up scheduled task to automatically renew this certificate in the background.

The following console output indicates that it was successfully installed:

Deploying certificate
Successfully depoloyed certificate for www.golinuxcloud.com to /etc/httpd/conf.d/www.golinuxcloud.com-le-ssl.conf
Successfully depoloyed certificate for www.golinuxcloud.com to /etc/httpd/conf.d/www.golinuxcloud.com-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://www.golinuxcloud.com and https://www.golinuxcloud.com

 

Generate certs using certbot for Nginx

On websites served with Nginx, the following packages are installed on the system:

$ sudo dnf install -y certbot python3-certbot-nginx

Then you have 3 options to install Let's encrypt;

  • General/Simple use:  certbot --nginx
  • Usage by specifying a website:  certbot --nginx -d website.com
  • Multiple websites are written after the command:  certbot --nginx -d website.com -d www.website2.com
[foc@rocky9 ~]$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): foc@golinuxcloud.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.golinuxcloud.com
Requesting a certificate for www.golinuxcloud.com

After successful installation, you will receive a message as follows:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.golinuxcloud.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.golinuxcloud.com/privkey.pem
   Your cert will expire on 2023-13-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 

Testing the Let's Encrypt Certificate

We saw on the command line that the certificate installation was successful. You can also view your site's certificate status with a web browser. You can check by typing your own site instead of "your_website" value.

https://www.ssllabs.com/ssltest/analyze.html?d=your_website

How to install certbot [Let's Encrypt] on Rocky Linux 9

 

Certificate Automatic Renewal

We said at the beginning that Let's encrypt certificates are renewed every 3 months.  At the end of the period, the certificate can be renewed by running the following command;

certbot renew --dry-run

You can do the certificate renewal with a cron task:

crontab -e
0 0,12 * * *  root /usr/bin/certbot renew

This is how we prepared the cron task that checks twice a day to check for sites that need certificate renewal.

 

Delete Certificate

If you want to delete the certificate for any reason:

sudo certbot delete

Or you can perform deletion by giving a specific site address:

sudo certbot delete --cert-name example.com

 

Summary

Many systems no longer accept the access of uncertified websites. For fast, free and easy certification, Let's Encrypt seems like the best choice. You can get support from the community page for certification problems you encounter.

 

References

eff-certbot.readthedocs.io  -  Certbot
certbot.eff.org - certbot instructions

 

Omer Cakmak

Omer Cakmak

He is highly skilled at managing Debian, Ubuntu, CentOS, Oracle Linux, and Red Hat servers. Proficient in bash scripting, Ansible, and AWX central server management, he handles server operations on OpenStack, KVM, Proxmox, and VMware. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment