Thanks to the EFF, we now have a lovely suite of tools for getting globally recognized and trusted SSL certificates for HTTPS via Lets Encypt and their management tool certbot.  

INSTALLATION

    yum install python-certbot-apache certbot

INSTALLING NEW CERTIFICATE

Choose one of the following methods.

The first one will work on autodetection and modify your apache ss.conf file appropriately.

The second will only pull in the cert, and use the webroot (located in the -w parameter's location) to facilitate the authentication handshake for the domains listed.

    certbot --apache -d DOMAIN.TLD -d DOMAIN2.TLD
    certbot certonly --webroot -w /var/www/html -d DOMAIN1.TLD -d DOMAIN2.TLD

RENEWAL OF EXISTING CERTIFICATE

Recommended to run regularly as the renewal will only occur if the expiry is within the next 30 days.

    certbot renew
    certbot renew --dry-run
    certbot renew --quiet

If errors, the following can be used instead.

    ./certbot-auto certonly -d DOMAIN.tld -d www.DOMAIN.tld

INSPECTING CERTIFICATE

To inspect your certificate:

    openssl x509 -text -noout -in CERTIFICATE_FILE

ATTACHING CERTIFICATE TO COCKPIT

The certificate needs to be rebuilt for use with cockpit, as certbot will acquire a .pem, and cockpit wants a .cert.

    cat /etc/letsencrypt/live/DOMAIN/cert.pem >> DOMAIN.cert
    cat /etc/letsencrypt/live/DOMAIN/privkey.pem >> DOMAIN.cert

If you are using Fedora's Cockpit to manage your server(s), the process can be automated quite nicely. Assuming you have a method for automated certificate updates, you can daisy-chain the following in its own script or make an uber script.

    #!/bin/bash
    # Force root
    [ `whoami` = root ] || { sudo "$0" "$@"; exit $?; }

    # Set some variables
    FQDN=`cat /etc/hostname`

    # Fixes cockpit to use the LetsEncrypt SSL cert
    cd /etc/cockpit/ws-certs.d
    mv "$FQDN".cert "$FQDN".crt.backup.$(date +%Y%m%d%H%M)

    cat /etc/letsencrypt/live/"$FQDN"/cert.pem >> "$FQDN".cert
    cat /etc/letsencrypt/live/"$FQDN"/privkey.pem >> "$FQDN".cert

    systemctl restart cockpit

    cd ~

AMAZON LIGHTSAIL / AWS ISSUES

Amazon has a few issues with certbot.  Here are the steps to get around them.

INSTALL CERTBOT

    yum install python27-devel git
    git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

INSTALL CERTIFICATE

    /opt/letsencrypt/letsencrypt-auto –debug certonly -d domain.tld -d www.domain.tld

APACHE SSL SUPPORT

Now to install SSL support, if you have not for Apache (2.4 in my example),.

    yum install mod24_ssl

Edit /etc/httpd/conf.d/ssl.conf to fix the following values

    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/chain.pem

RESTART APACHE

    sudo service httpd restart

FIX ZOPE & PYTHON ERRORS

If you encounter the following:

    File "/home/ec2-user/.local/share/letsencrypt/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
    File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/certbot/main.py", line 11, in <module>
    import zope.component
    File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module>
    from zope.interface import Interface
    ImportError: No module named interface

Then you will need to do the following to correct it (as root)

    unset PYTHON_INSTALL_LAYOUT
    /opt/letsencrypt/letsencrypt-auto -v
    /opt/letsencrypt/letsencrypt-auto renew
    service httpd reload