Skip to content

LETS ENCRYPT

Thanks to the EFF, we now have a lovely suite of tools for getting globally recognized and trusted SSL certificates for HTTPS via Lets Encypt and their management tool certbot.  

INSTALLATION

    sudo dnf install python-certbot-apache certbot

INSTALLING NEW CERTIFICATE

Choose one of the following methods.

The first one will work on autodetection and modify your apache ss.conf file appropriately.

The second will only pull in the cert, and use the webroot (located in the -w parameter's location) to facilitate the authentication handshake for the domains listed.

    sudo certbot --apache -d DOMAIN.TLD -d DOMAIN2.TLD
    sudo certbot certonly --webroot -w /var/www/html -d DOMAIN1.TLD -d DOMAIN2.TLD

RENEWAL OF EXISTING CERTIFICATE

Recommended to run regularly as the renewal will only occur if the expiry is within the next 30 days.

    sudo certbot renew
    sudo certbot renew --dry-run
    sudo certbot renew --quiet

If errors, the following can be used instead.

    sudo ./certbot-auto certonly -d DOMAIN.tld -d www.DOMAIN.tld

INSPECTING CERTIFICATE

To inspect your certificate:

    sudo openssl x509 -text -noout -in CERTIFICATE_FILE

ATTACHING CERTIFICATE TO COCKPIT

The certificate needs to be rebuilt for use with cockpit, as certbot will acquire a .pem, and cockpit wants a .cert and a .key in separate files

    cd /etc/cockpit/ws-certs.d/
    sudo cat /etc/letsencrypt/live/DOMAIN/fullchain.pem > DOMAIN.cert
    sudo cat /etc/letsencrypt/live/DOMAIN/privkey.pem > DOMAIN.key

If you are using Fedora's Cockpit to manage your server(s), the process can be automated quite nicely. Assuming you have a method for automated certificate updates, you can daisy-chain the following in its own script or make an uber script.

    #!/bin/bash
    #Force root
    [ `whoami` = root ] || { sudo "$0" "$@"; exit $?; }

    #Set some variables
    FQDN=`cat /etc/hostname`

    #Fixes cockpit to use the LetsEncrypt SSL cert
    cd /etc/cockpit/ws-certs.d
    mv "$FQDN".cert "$FQDN".crt.backup.$(date +%Y%m%d%H%M)

    cat /etc/letsencrypt/live/"$FQDN"/fullchain.pem > "$FQDN".cert
    cat /etc/letsencrypt/live/"$FQDN"/privkey.pem > "$FQDN".key

    systemctl restart cockpit

    cd ~