Steps to install certbot on Rocky Linux 9?
Let's Encrypt is a free, non-profit SSL certificate service supported by the Internet Security Research Group, a certificate authority that distributes X.509 certificates. It is designed to eliminate and automate complex processes that require manual processes such as certificate validation, signing, installation and renewal. It has been in service since April 12, 2016.
All SSL certificates are acquired annually, but Let's Encrypt is installed every 3 months and automatically renewed every 3 months. It has gained importance especially after Google started to mark websites without SSL certificates as "Unsafe". No security fee is paid for Let's Encrypt.
After the end of life for Centos, Rocky Linux became available. We will install the necessary packages for Let's Encrypt on Rocky Linux 9.
Enable EPEL Repository
We will describe Let's Encrypt for websites served with both Apache and Nginx. For both, the EPEL repo must be activated.
$ sudo dnf install epel-release mod_ssl -y
Install certbot and generate certs
Generate certs using certbot for Apache
The certbot tool will scan the Apache configuration files on the server and provides the option to generate certificates for any virtual hosts configured on the system. It will then generate the certificate and add virtual host entries to the Apache configuration specifically for the corresponding web sites.
If you are serving your website with apache, you should install the following packages;
sudo dnf install certbot python3-certbot-apache -y
The installation of the packages is complete. We will use the certbot command for the Letsencrypt installation steps. This command has 3 different uses, you can choose your wish:
- General/Simple use: certbot --apache
- Usage by specifying a website: certbot --apache -d website.com
- Multiple websites are written after the command: certbot --apache -d website.com -d www.website2.com
We proceed with the simple command:
[root@rocky9 foc]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Let's Encrypt will ask for an email address to match the certificate:
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): foc@golinuxcloud.com
Agree to the Terms of Use:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Would you like to share your email address with the Electronic Frontier Foundation after your first certificate has been successfully issued?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered.
Enter your website address:
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.golinuxcloud.com
Requesting a certificate for www.golinuxcloud.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.golinuxcloud.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.golinuxcloud.com/privkey.pem
This certificate expires on 2023-01-13.
These files will be updated when the certificate renews.
Cerbot has set up scheduled task to automatically renew this certificate in the background.
The following console output indicates that it was successfully installed:
Deploying certificate
Successfully depoloyed certificate for www.golinuxcloud.com to /etc/httpd/conf.d/www.golinuxcloud.com-le-ssl.conf
Successfully depoloyed certificate for www.golinuxcloud.com to /etc/httpd/conf.d/www.golinuxcloud.com-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://www.golinuxcloud.com and https://www.golinuxcloud.com
Generate certs using certbot for Nginx
On websites served with Nginx, the following packages are installed on the system:
$ sudo dnf install -y certbot python3-certbot-nginx
Then you have 3 options to install Let's encrypt;
- General/Simple use: certbot --nginx
- Usage by specifying a website: certbot --nginx -d website.com
- Multiple websites are written after the command: certbot --nginx -d website.com -d www.website2.com
[foc@rocky9 ~]$ sudo certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): foc@golinuxcloud.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): www.golinuxcloud.com Requesting a certificate for www.golinuxcloud.com
After successful installation, you will receive a message as follows:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.golinuxcloud.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.golinuxcloud.com/privkey.pem
Your cert will expire on 2023-13-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Testing the Let's Encrypt Certificate
We saw on the command line that the certificate installation was successful. You can also view your site's certificate status with a web browser. You can check by typing your own site instead of "your_website" value.
https://www.ssllabs.com/ssltest/analyze.html?d=your_website
Certificate Automatic Renewal
We said at the beginning that Let's encrypt certificates are renewed every 3 months. At the end of the period, the certificate can be renewed by running the following command;
certbot renew --dry-run
You can do the certificate renewal with a cron task:
crontab -e 0 0,12 * * * root /usr/bin/certbot renew
This is how we prepared the cron task that checks twice a day to check for sites that need certificate renewal.
Delete Certificate
If you want to delete the certificate for any reason:
sudo certbot delete
Or you can perform deletion by giving a specific site address:
sudo certbot delete --cert-name example.com
Summary
Many systems no longer accept the access of uncertified websites. For fast, free and easy certification, Let's Encrypt seems like the best choice. You can get support from the community page for certification problems you encounter.
References
eff-certbot.readthedocs.io - Certbot
certbot.eff.org - certbot instructions