Skip to content

Instantly share code, notes, and snippets.

@jdeathe

jdeathe/centos-certbot.md

Last active December 4, 2019 08:30
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save jdeathe/b1b4f482811bbedad81fdc533ebc9527 to your computer and use it in GitHub Desktop.
Save jdeathe/b1b4f482811bbedad81fdc533ebc9527 to your computer and use it in GitHub Desktop.
Download ZIP
Installation and Usage of Certbot on CentOS to obtain a Let’s Encrypt TLS/SSL certificate.
Raw
centos-certbot.md

Installation and Usage of Certbot on CentOS

Installation

Install certbot-auto

# mkdir -p /opt/{bin,certbot/bin} \
  && curl -sS \
    -o /opt/certbot/bin/certbot-auto \
    https://dl.eff.org/certbot-auto \
  && chmod 711 /opt/certbot/bin/certbot-auto \
  && ln -sf \
    /opt/certbot/bin/certbot-auto \
    /opt/bin/certbot-auto

Add /opt/bin to PATH

# cat > /etc/profile.d/add-opt-bin-path.sh <<-EOT
	#!/usr/bin/env bash

	pathmunge /opt/bin

EOT

Source the profile

# source /etc/profile

Install certbot

# certbot-auto -nq

Usage

Note: Remove --test-cert when ready to request from the live, (rate limited), service.

Manual method

This method is useful if generating certificates on a server other than the target host.

# certbot-auto certonly \
  --agree-tos \
  --domains www.example.com,example.com \
  --email webmaster@example.com \
  --manual \
  --manual-public-ip-logging-ok \
  --test-cert \
  --text

Webroot method

This method is useful if needing to obtain certificates for a running public web server.

# certbot-auto certonly \
  --agree-tos \
  --domains www.example.com,example.com \
  --email webmaster@example.com \
  --test-cert \
  --text \
  --webroot \
  --webroot-path /var/www/example/public_html/

Apache installation

Link Live Certificates to Apache Certificate File Paths

Either update the VirtualHost paths for SSLCertificateChainFile, SSLCertificateKeyFile and SSLCertificateFile to /etc/letsencrypt/live/www.example.com/chain.pem, /etc/letsencrypt/live/www.example.com/privkey.pem and /etc/letsencrypt/live/www.example.com/fullchain.pem directly or create symbolic links from the existing paths to the Let's Encrypt live certificate files.

The SSLCertificateChainFile shouldn't be necessary when using the full chain in the SSLCertificateFile but without this SSL fails after renewal with an error "This server’s certificate chain is incomplete".

# mkdir -p \
    /var/www/ssl/www.example.com \
  && ln -sf \
    /etc/letsencrypt/live/www.example.com/chain.pem \
    /var/www/ssl/www.example.com/chain.pem \
  && ln -sf \
    /etc/letsencrypt/live/www.example.com/privkey.pem \
    /var/www/ssl/www.example.com/privkey.pem \
  && ln -sf \
    /etc/letsencrypt/live/www.example.com/fullchain.pem \
    /var/www/ssl/www.example.com/fullchain.pem

Reload Apache

# apachectl graceful

Renewing certificates

The renew sub-command can be run periodically, (twice a day is recommended), via cron or a systemd timer.

# certbot-auto renew \
  --quiet \
  --no-self-upgrade \
  --post-hook "apachectl graceful"

Example crontab entry

The following example will run the renew sub-command at 05:27 and 21:27 daily.

27 5,21 * * * /opt/bin/certbot-auto renew --quiet --no-self-upgrade --post-hook "apachectl graceful" >> /var/log/certbot.log 2>&1

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment