Required in advance
Apache is installed and https communication is available.
http (port 80) is open.
The OS can be published using the same procedure for Red Hat Enterprise Linux and free Linux distributions compatible with Red Hat Enterprise Linux (Rocky Linux, AlmaLinux OS, CentOS7).
Installing Certbot
# yum install epel-release
# yum install certbot python-certbot-apache
Application for TLS server certificate issuance
Apply for and obtain a certificate that can be used with the following three FQDNs.
DNS Name=worldmotor.f5.si
DNS Name=www.worldmotor.f5.si
DNS Name=google.worldmotor.f5.si
For RSA
# certbot certonly --webroot -w /var/www/html/ -d worldmotor.f5.si -d www.worldmotor.f5.si -d google.worldmotor.f5.si
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): xxxx@gmail.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https: //letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for worldmotor.f5.si and 2 more domains
Performing the following challenges:
http-01 challenge for google.worldmotor.f5.si
http-01 challenge for worldmotor.f5.si
http-01 challenge for www.worldmotor.f5.si
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: xxxx@gmail.com).
Starting new HTTPS connection (1): supporters.eff.org
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/worldmotor.f5.si/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/worldmotor.f5.si/privkey.pem
Your certificate will expire on 2024-01-14. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# cd /etc/letsencrypt/live/worldmotor.f5.si
# ls -l
total 4
lrwxrwxrwx 1 root root 40 Oct 16 22:49 cert.pem -> ../../archive/worldmotor.f5.si/cert1.pem
lrwxrwxrwx 1 root root 41 Oct 16 22:49 chain.pem -> ../../archive/worldmotor.f5.si/chain1.pem
lrwxrwxrwx 1 root root 45 Oct 16 22:49 fullchain.pem -> ../../archive/worldmotor.f5.si/fullchain1.pem
lrwxrwxrwx 1 root root 43 Oct 16 22:49 privkey.pem -> ../../archive/worldmotor.f5.si/privkey1.pem
-rw-r--r-- 1 root root 692 Oct 16 22:49 README
For ECC
# certbot certonly --key-type ecdsa --webroot -w /var/www/html/ -d worldmotor.f5.si -d www.worldmotor.f5.si -d google.worldmotor.f5.si
Apache の設定
Set the directory of certificates issued by ACME.
[/etc/httpd/conf.d/ssl.conf]
(omission)
SSLCertificateFile /etc/letsencrypt/live/worldmotor.f5.si/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/worldmotor.f5.si/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/worldmotor.f5.si/chain.pem
(omission)
Apache restart
Restart Apache. Even if you “reboot” the OS, the certificate file will be reloaded.
# systemctl start httpd
Certificate renewal with Certbot
In the following cases, the result “Cert not yet due for renewal” is displayed because there is some time left in the validity period.
The certificate is valid for 90 days and can be renewed after 60 days.
# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/worldmotor.f5.si.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/worldmotor.f5.si/fullchain.pem expires on 2024-01-14 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Change to ECC when renewing certificate
If you want to switch to ECC when updating, edit the “/etc/letsencrypt/cli.ini” file before updating.
/etc/letsencrypt/cli.ini
For secp256r1
# Use ECC for the private key
key-type = ecdsa
elliptic-curve = secp256r1
For secp384r1
# Use ECC for the private key
key-type = ecdsa
elliptic-curve = secp384r1
Reference
https://eff-certbot.readthedocs.io/en/latest/using.html#configuration-file
Cron settings
Start Cron daily and check for updates. (Can be issued after 60 days have passed since issuance. Nothing will be done after 60 days)
# crontab -u root -e
Add the following ↓
0 7 * * 1-5 certbot renew --force-renew --webroot -w /var/www/html/>> /var/log/certbot-auto.log 2>&1
5 7 * * 1-5 systemctl restart httpd