Create Free SSL Certificates with certbot on CentOS 8
In order to create a secure connection, a digital certificate (or SSL certificate) is required.
12 minutes to read
/
Clients like internet browsers can access websites using encryption. This is mandatory when it comes about sites that collect user input: sign up credentials and personal data, commercial transaction data, surveys, comments and other input.
In order to create a secure connection, a digital certificate (or SSL certificate) is required. This certificate must be issued by a credible institution called Certificate Authority (CA).
Certificates have a dual role: it encrypts data being transmitted and it authenticates the identity of a website.
SSL stands for Secure Sockets Layer, a standard security technology that encrypts communication between a server and a web browser. It avoids sensitive data to be stolen or tampered: credentials, card numbers, emails, transactions and credit cards.
Now while is ideal to use a CA this is not always an option as it require a budget and your project might be non-profit or a personal project. Without the certificates your browser will trigger warnings to the visitors and search engines will lower site ranking questioning credibility.
For ths reason an option is to create an use a free certificate issued by Let’s Encrypt. There is a wizard to help you get started based on the specific OS on Certbot
Study steps beforehand to understand the process
Note: you need a domain registered in order to benefit of a self signed certificate If you don’t have get one from freenom.
STEP1 Open https in your firewall
You need first to deal with the firewall firewall-cmd when comes to CentOS and ufw when comes to Ubuntu.
If you don’t allow it you’ll get an error: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
sudo firewall-cmd --zone=public --permanent --add-service=https
sudo firewall-cmd --reload
sudo systemctl restart httpd
If your firewall is ufw then run sudo ufw allow 80,443/tcp
STEP2 Request SSL certificates from Let’s encrypt
Now when your server is Apache run with option --apache, if is nginx run it with --nginx
sudo /usr/local/bin/certbot-auto --apache
This will trigger the following:
Upgrading certbot-auto 1.3.0 to 1.9.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: spokane.eu
2: www.spokane.eu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for spokane.eu
http-01 challenge for www.spokane.eu
Waiting for verification...
Cleaning up challenges
Now the most interesting part creating the virtual host and deploying the certificate automatically:
Created an SSL vhost at /etc/httpd/sites-available/spokane.eu-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/spokane.eu-le-ssl.conf
Enabling site /etc/httpd/sites-available/spokane-le-ssl.conf by adding Include to root configuration
Deploying Certificate to VirtualHost /etc/httpd/sites-available/spokane.eu-le-ssl.conf
Redirecting vhost in /etc/httpd/sites-enabled/spokane.eu.conf to ssl vhost in /etc/httpd/sites-available/spokane.eu-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://spokane.eu and
https://www.spokane.eu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/spokane.eu/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/spokane.eu/privkey.pem
Your cert will expire on 2021-01-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
STEP3 Set automatic renewal of certificates
All the certificates issued by Let’s encrypt care valid for 3 months only. It allows you to renew a certificate before 30 days or less of expiry. The Certbot utility allows you to renew SSL with single command line.
You can also schedule this in a cronjob.
Run the below command to renew all the certificates on that system.
sudo /usr/local/bin/certbot-auto renew
You can also do a dry run without actual renewal of the certificate. With this you can verify if SSL renewal will work if scheduled with cronjob.
sudo /usr/local/bin/certbot-auto renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/spokane.eu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for spokane.eu
http-01 challenge for www.spokane.eu
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/spokane.eu/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/spokane.eu/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
STEP4 Test
Once the SSL certificate is installed on the web server, visit https://your-domain.com/ in a web browser and look for the SSL lock icon in the URL bar. You can also do a security scan for the SSL setup on https://www.ssllabs.com/ssltest/.
A sample of test results:
Certificate #1: RSA 2048 bits (SHA256withRSA)
Server Key and Certificate #1
Subject jazio.eu
Fingerprint SHA256: 6cdc2f89a47a8b111641368ee316725c640fecd7c58c45addc4bc8491fd397e8
Pin SHA256: aR9GPx2Nyy582e1xQKv1+aBq/AbSMB8NmLLepTt2h0s=
Common names spokane.eu
Alternative names spokane.eu www.spokane.eu
Serial Number 033476718974c3eba693a7620f8f4be6db53
Valid from Thu, 15 Oct 2020 21:05:35 UTC
Valid until Wed, 13 Jan 2021 21:05:35 UTC (expires in 2 months and 28 days)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Let's Encrypt Authority X3
AIA: http://cert.int-x3.letsencrypt.org/
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency Yes (certificate)
OCSP Must Staple No
Revocation information OCSP
OCSP: http://ocsp.int-x3.letsencrypt.org
Revocation status Good (not revoked)
DNS CAA No (more info)
Trusted Yes
Mozilla Apple Android Java Windows
Protocols
TLS 1.3 Yes
TLS 1.2 Yes*
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No
(*) Experimental: Server negotiated using No-SNI
A note on Nextcloud server
If you have a domain name associated with your Nextcloud server, the best option for securing your web interface is to obtain a Let’s Encrypt SSL certificate.
Start by opening the ports in the firewall that Let’s Encrypt uses to validate domain ownership. This will make your Nextcloud login page publicly accessible, but since we already have an administrator account configured, no one will be able to hijack the installation:
Next, request a Let’s Encrypt certificate by typing:
sudo nextcloud.enable-https lets-encrypt
You will first be asked whether your server meets the conditions necessary to request a certificate from the Let's Encrypt service:
Output
In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:
1. In order to register with the Let's Encrypt ACME server, you must
agree to the currently-in-effect Subscriber Agreement located
here:
https://letsencrypt.org/repository/
By continuing to use this tool you agree to these terms. Please
cancel now if otherwise.
2. You must have the domain name(s) for which you want certificates
pointing at the external IP address of this machine.
3. Both ports 80 and 443 on the external IP address of this machine
must point to this machine (e.g. port forwarding might need to be
setup on your router).
Have you met these requirements? (y/n)
Type y to continue.
Next, you will be asked to provide an email address to use for recovery operations:
Output
Please enter an email address (for urgent notices or key recovery): your_email@domain.com
Finally, enter the domain name associated with your Nextcloud server:
Output
Please enter your domain name(s) (space-separated): example.com
Your Let's Encrypt certificate will be requested and, provided everything went well, the internal Apache instance will be restarted to immediately implement SSL:
Output
Attempting to obtain certificates... done
Restarting apache... done
##Conclusion
Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server. It was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.
Certbot is meant to be run on the server where your website is hosted. If you don’t have administrative shell access to your webserver or you’re not familiar with command line server administration, you should check if your hosting provider has built-in Let’s Encrypt support by contacting them or checking this list of supporting providers.