Difference between revisions of "Certbot"

Prerequisites

Installing Certbot

Add the EPEL repo:

sudo dnf install epel-release

Install Certbot:

sudo dnf install cerbot

Verify Certbot is installed:

certbot -v

Obtaining a Certificate using Certbot

Using The Apache Plugin

sudo certbot --apache

Using The Nginx Plugin

sudo certbot --nginx

Using The Standalone Mode

Note: While the standalone mode is web-server agnostic, it will require that the web-server service be deactivated so that port 80 is available for certbot to use.

sudo certbot certonly --standalone -d domainname.com -d www.domainname.com

Automating Certificate Renewal Using Systemd

Certificates from Certbot are valid for a few months, but will need to be renewed regularly for HTTPS to continue to be served from the servers.

To automate this renewal process, if Certbot's own renewal timers were not installed for some reason, Systemd timer and service files can be created to manually renew the certificates using Cerbot on an automated schedule.

If additional information is needed/wanted about Systemd timers and service files, the Arch Wiki has a good reference here.

Certbot Systemd Timer File

This file should be created here:

/etc/systemd/system/certbot-renewal.timer

And it should contain the following:

[Unit]
Description=Run Certbot renewal periodically
Documentation=https://certbot.eff.org/docs/using.html#renewal

[Timer]
# Run daily at midnight
OnCalendar=*-*-* 00:00:00
# Also run 12 hours later
OnCalendar=*-*-* 12:00:00
# Randomize start time slightly to prevent thundering herd
RandomizedDelaySec=3600
# Persist across reboots
Persistent=true

[Install]
WantedBy=timers.target

Certbot Systemd Service File

The Systemd service file should be created here:

/etc/systemd/system/certbot-renewal.service

And the service file should contain the following:
 <nowiki>[Unit]
Description=Certbot Certificate Renewal
Documentation=https://certbot.eff.org/docs/using.html#renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet
User=root
Group=root 

Enabling and Starting The Certbot Systemd Timer File

Reload systemd to recognize the new unit files that were created:

sudo systemctl daemon-reload

Enable the timer file so that it is started on every boot:

sudo systemctl enable certbot-renewal.timer

Start the timer manually if it is not already started:

sudo systemctl start certbot-renewal.timer

Verify that the timer is started (active) and enabled:

sudo systemctl status certbot-renewal.timer

Verifying The Timer:

1. List all active timers

sudo systemctl list-timers

1. Check specific timer details

systemctl list-timers --all | grep certbot

1. View next scheduled run

systemctl list-timers | grep certbot

Testing The Service File Manually:

1. Trigger a dry-run renewal

sudo systemctl start certbot-renewal.service

1. Check if it executed successfully

sudo systemctl status certbot-renewal.service

Special Note: If the server the certificates are for is located "behind" a reverse-proxy server, install and run Certbot and the certificates on the reverse-proxy server instead of locally on the intended server. Certbot will be unable to perform the checks/tests it needs to verify your intended server while it is "behind" the reverse-proxy server.

Be sure to update the file located at:

/etc/nginx/conf.d/reverse-proxy.conf

To include the below:

server {
    listen 443 ssl http2; #This is required or it will not function
    server_name domainname.com;

    ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;
}

And if HTTP > HTTPS redirecting is desired, include the below as well in the same file:

server {
    listen 80;
    server_name domainname.com;
    return 301 https://$server_name$request_uri;
}