Install Certbot#

Official website has good documentation (yum install certbot)

Generating a Certificte#

certbot certonly -d -d

Renewing a Certificate #

You can run dry-run to ensure all is OK

certbot certonly renew -d -d --dry-run
Run without dry run in production

Installation location#

/etc/letsencrypt/Root Let's Encrypt Directory
/etc/letsencrypt/liveLive certifiates
/etc/letsencrypt/renewalSites that need to be renewed

Verification Method#

It verifies the certificate by creating a file in webroot
.well-known/xxx/{ramdonly generated}

Once verified it deletes this
Same verification is done for renewals

Install Let's Encrypt Client:#

Assess the risk of making any changes. Are there any risk to information security by setting this up? If any concerns please contact Lucie Sadler (Information Security Officer). Follow this wiki for any service issues in vdp appliances. E.g., to restart any services that are failing.

Although the Let's Encrypt project has renamed their client to certbot, the client included in the Ubuntu 16.04 repositories is simply called letsencrypt. This version is completely adequate for our purposes.

$ apt-get update
$ apt-get install python-letsencrypt-apache

Set Up the SSL Certificate#

1. Generating the SSL Certificate for Apache using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.
2. If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command.

$ letsencrypt --apache -d -d

3. After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or forcing all requests to redirect to https. It is usually safest to require https, unless you have a specific need for unencrypted http traffic. 4. When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live.

Set Up Auto Renewal#

1. Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. 2. To trigger the renewal process for all installed domains, you should run:

$ letsencrypt renew
3. Because we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. Edit the crontab to create a new job that will run the renewal command every week.
$ crontab -e
30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log && service httpd reload
4. This will create a new cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log.

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 21-Mar-2018 16:32 by Hyve Support
G’day (anonymous guest) My Prefs
  • View Page Source
  • This clear IPSec security association,
    clear ipsec sa peer X.X.X.X

All Pages

Page views: 1366

Private Tomcat




SQL Server




Web Mail

Windows Plesk

Linux Plesk




Persits ASPUpload

Wiki Help

Referring Pages:

JSPWiki v2.8.1