Category: SSL

Install Certbot
Official website has good documentation (yum install certbot)

Generating a Certificte

certbot certonly -d -d

Renewing a Certificate

You can run dry-run to ensure all is okay

certbot certonly renew -d -d --dry-run

Run without dry run in production

Installation location
|/etc/letsencrypt/|Root Let’s Encrypt Directory
|/etc/letsencrypt/live|Live certifiates
|/etc/letsencrypt/renewal|Sites that need to be renewed

Verification Method
It verifies the certificate by creating a file in webroot
.well-known/xxx/{ramdonly generated}

Once verified it deletes this
Same verification is done for renewals

Install Let’s Encrypt Client:

Assess the risk of making any changes. Are there any risk to information security by setting this up? If any concerns please contact Lucie Sadler (Information Security Officer). Follow this wiki for any service issues in vdp appliances. E.g., to restart any services that are failing.

Although the Let’s Encrypt project has renamed their client to certbot, the client included in the Ubuntu 16.04 repositories is simply called letsencrypt. This version is completely adequate for our purposes.

$ apt-get update
$ apt-get install python-letsencrypt-apache

Set Up the SSL Certificate

  • Generating the SSL Certificate for Apache using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
  • If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command.
$ letsencrypt --apache -d -d
  • After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or forcing all requests to redirect to https. It is usually safest to require https, unless you have a specific need for unencrypted http traffic.
  • When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live.

Set Up Auto Renewal

  • Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
  • To trigger the renewal process for all installed domains, you should run:
$ letsencrypt renew
  • Because we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. Edit the crontab to create a new job that will run the renewal command every week.
$ crontab -e
30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log && service httpd reload
  • This will create a new cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.