LETS ENCRYPT
Thanks to the EFF, we now have a lovely suite of tools for getting globally recognized and trusted SSL certificates for HTTPS via Lets Encypt and their management tool certbot.
INSTALLATION
sudo dnf install python-certbot-apache certbot
INSTALLING NEW CERTIFICATE
Choose one of the following methods.
The first one will work on autodetection and modify your apache ss.conf file appropriately.
The second will only pull in the cert, and use the webroot (located in the -w parameter's location) to facilitate the authentication handshake for the domains listed.
sudo certbot --apache -d DOMAIN.TLD -d DOMAIN2.TLD
sudo certbot certonly --webroot -w /var/www/html -d DOMAIN1.TLD -d DOMAIN2.TLD
RENEWAL OF EXISTING CERTIFICATE
Recommended to run regularly as the renewal will only occur if the expiry is within the next 30 days.
sudo certbot renew
sudo certbot renew --dry-run
sudo certbot renew --quiet
If errors, the following can be used instead.
sudo ./certbot-auto certonly -d DOMAIN.tld -d www.DOMAIN.tld
INSPECTING CERTIFICATE
To inspect your certificate:
sudo openssl x509 -text -noout -in CERTIFICATE_FILE
ATTACHING CERTIFICATE TO COCKPIT
The certificate needs to be rebuilt for use with cockpit, as certbot will acquire a .pem, and cockpit wants a .cert and a .key in separate files
cd /etc/cockpit/ws-certs.d/
sudo cat /etc/letsencrypt/live/DOMAIN/fullchain.pem > DOMAIN.cert
sudo cat /etc/letsencrypt/live/DOMAIN/privkey.pem > DOMAIN.key
If you are using Fedora's Cockpit to manage your server(s), the process can be automated quite nicely. Assuming you have a method for automated certificate updates, you can daisy-chain the following in its own script or make an uber script.
#!/bin/bash
#Force root
[ `whoami` = root ] || { sudo "$0" "$@"; exit $?; }
#Set some variables
FQDN=`cat /etc/hostname`
#Fixes cockpit to use the LetsEncrypt SSL cert
cd /etc/cockpit/ws-certs.d
mv "$FQDN".cert "$FQDN".crt.backup.$(date +%Y%m%d%H%M)
cat /etc/letsencrypt/live/"$FQDN"/fullchain.pem > "$FQDN".cert
cat /etc/letsencrypt/live/"$FQDN"/privkey.pem > "$FQDN".key
systemctl restart cockpit
cd ~