Difference between revisions of "Certbot"
Jump to navigation
Jump to search
(Initial commit / Information dump from labwork) |
(Added plaintext boxes for code snippets) |
||
| Line 2: | Line 2: | ||
Add the EPEL repo: | Add the EPEL repo: | ||
| − | sudo dnf install epel-release | + | <nowiki>sudo dnf install epel-release</nowiki> |
Install Certbot: | Install Certbot: | ||
| − | sudo dnf install cerbot | + | <nowiki>sudo dnf install cerbot</nowiki> |
#Verify installation | #Verify installation | ||
| − | certbot -v | + | <nowiki>certbot -v</nowiki> |
Obtaining a certificate: | Obtaining a certificate: | ||
#Apache plugin | #Apache plugin | ||
| − | sudo certbot --apache | + | <nowiki>sudo certbot --apache</nowiki> |
#Nginx plugin | #Nginx plugin | ||
| − | sudo certbot --nginx | + | <nowiki>sudo certbot --nginx</nowiki> |
#Standalone mode | #Standalone mode | ||
| − | sudo certbot certonly --standalone -d domainname.com -d www.domainname.com | + | <nowiki>sudo certbot certonly --standalone -d domainname.com -d www.domainname.com</nowiki> |
| Line 27: | Line 27: | ||
Certbot Timer File Location: | Certbot Timer File Location: | ||
| − | /etc/systemd/system/certbot-renewal.timer | + | <nowiki>/etc/systemd/system/certbot-renewal.timer</nowiki> |
Certbot Timer File Contents: | Certbot Timer File Contents: | ||
| − | [Unit] | + | <nowiki>[Unit] |
Description=Run Certbot renewal periodically | Description=Run Certbot renewal periodically | ||
Documentation=https://certbot.eff.org/docs/using.html#renewal | Documentation=https://certbot.eff.org/docs/using.html#renewal | ||
| Line 46: | Line 46: | ||
[Install] | [Install] | ||
| − | WantedBy=timers.target | + | WantedBy=timers.target</nowiki> |
| Line 52: | Line 52: | ||
Certbot Service File Location: | Certbot Service File Location: | ||
| − | /etc/systemd/system/certbot-renewal.service | + | <nowiki>/etc/systemd/system/certbot-renewal.service |
Certbot Service File Contents: | Certbot Service File Contents: | ||
| − | [Unit] | + | <nowiki>[Unit] |
Description=Certbot Certificate Renewal | Description=Certbot Certificate Renewal | ||
Documentation=https://certbot.eff.org/docs/using.html#renewal | Documentation=https://certbot.eff.org/docs/using.html#renewal | ||
| Line 63: | Line 63: | ||
ExecStart=/usr/bin/certbot renew --quiet | ExecStart=/usr/bin/certbot renew --quiet | ||
User=root | User=root | ||
| − | Group=root | + | Group=root </nowiki> |
| Line 69: | Line 69: | ||
Enabling and Starting The Timer | Enabling and Starting The Timer | ||
# Reload systemd to recognize new units | # Reload systemd to recognize new units | ||
| − | sudo systemctl daemon-reload | + | <nowiki>sudo systemctl daemon-reload</nowiki> |
# Enable the timer (starts on boot) | # Enable the timer (starts on boot) | ||
| − | sudo systemctl enable certbot-renewal.timer | + | <nowiki>sudo systemctl enable certbot-renewal.timer</nowiki> |
# Start the timer immediately | # Start the timer immediately | ||
| − | sudo systemctl start certbot-renewal.timer | + | <nowiki>sudo systemctl start certbot-renewal.timer</nowiki> |
# Verify it's active | # Verify it's active | ||
| − | sudo systemctl status certbot-renewal.timer | + | <nowiki>sudo systemctl status certbot-renewal.timer</nowiki> |
| Line 84: | Line 84: | ||
Verifying The Timer: | Verifying The Timer: | ||
# List all active timers | # List all active timers | ||
| − | sudo systemctl list-timers | + | <nowiki>sudo systemctl list-timers</nowiki> |
# Check specific timer details | # Check specific timer details | ||
| − | systemctl list-timers --all | grep certbot | + | <nowiki>systemctl list-timers --all | grep certbot</nowiki> |
# View next scheduled run | # View next scheduled run | ||
| − | systemctl list-timers | grep certbot | + | <nowiki>systemctl list-timers | grep certbot</nowiki> |
| Line 96: | Line 96: | ||
Testing The Service File Manually: | Testing The Service File Manually: | ||
# Trigger a dry-run renewal | # Trigger a dry-run renewal | ||
| − | sudo systemctl start certbot-renewal.service | + | <nowiki>sudo systemctl start certbot-renewal.service</nowiki> |
# Check if it executed successfully | # Check if it executed successfully | ||
| − | sudo systemctl status certbot-renewal.service | + | <nowiki>sudo systemctl status certbot-renewal.service</nowiki> |
| Line 107: | Line 107: | ||
Be sure to update the file located at: | Be sure to update the file located at: | ||
| − | /etc/nginx/conf.d/reverse-proxy.conf | + | <nowiki>/etc/nginx/conf.d/reverse-proxy.conf</nowiki> |
To include the below: | To include the below: | ||
| − | server { | + | <nowiki>server { |
listen 443 ssl http2; #This is required or it will not function | listen 443 ssl http2; #This is required or it will not function | ||
server_name domainname.com; | server_name domainname.com; | ||
| Line 116: | Line 116: | ||
ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem; | ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem; | ||
ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem; | ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem; | ||
| − | } | + | }</nowiki> |
| − | And if HTTP > HTTPS redirecting is desired: | + | And if HTTP > HTTPS redirecting is desired, include the below as well in the same file: |
| − | server { | + | <nowiki>server { |
listen 80; | listen 80; | ||
server_name domainname.com; | server_name domainname.com; | ||
return 301 https://$server_name$request_uri; | return 301 https://$server_name$request_uri; | ||
| − | } | + | }</nowiki> |
Revision as of 00:35, 25 March 2026
This is placeholder text for future editing.
Add the EPEL repo:
sudo dnf install epel-release
Install Certbot:
sudo dnf install cerbot
- Verify installation
certbot -v
Obtaining a certificate:
- Apache plugin
sudo certbot --apache
- Nginx plugin
sudo certbot --nginx
- Standalone mode
sudo certbot certonly --standalone -d domainname.com -d www.domainname.com
Certbot Timer File Location:
/etc/systemd/system/certbot-renewal.timer
Certbot Timer File Contents:
[Unit] Description=Run Certbot renewal periodically Documentation=https://certbot.eff.org/docs/using.html#renewal [Timer] # Run daily at midnight OnCalendar=*-*-* 00:00:00 # Also run 12 hours later OnCalendar=*-*-* 12:00:00 # Randomize start time slightly to prevent thundering herd RandomizedDelaySec=3600 # Persist across reboots Persistent=true [Install] WantedBy=timers.target
Certbot Service File Location:
/etc/systemd/system/certbot-renewal.service Certbot Service File Contents: <nowiki>[Unit] Description=Certbot Certificate Renewal Documentation=https://certbot.eff.org/docs/using.html#renewal [Service] Type=oneshot ExecStart=/usr/bin/certbot renew --quiet User=root Group=root
Enabling and Starting The Timer
- Reload systemd to recognize new units
sudo systemctl daemon-reload
- Enable the timer (starts on boot)
sudo systemctl enable certbot-renewal.timer
- Start the timer immediately
sudo systemctl start certbot-renewal.timer
- Verify it's active
sudo systemctl status certbot-renewal.timer
Verifying The Timer:
- List all active timers
sudo systemctl list-timers
- Check specific timer details
systemctl list-timers --all | grep certbot
- View next scheduled run
systemctl list-timers | grep certbot
Testing The Service File Manually:
- Trigger a dry-run renewal
sudo systemctl start certbot-renewal.service
- Check if it executed successfully
sudo systemctl status certbot-renewal.service
Special Note: If the server the certificates are for is located "behind" a reverse-proxy server, install and run Certbot and the certificates on the reverse-proxy server instead of locally on the intended server. Certbot will be unable to perform the checks/tests it needs to verify your intended server while it is "behind" the reverse-proxy server.
Be sure to update the file located at:
/etc/nginx/conf.d/reverse-proxy.conf
To include the below:
server {
listen 443 ssl http2; #This is required or it will not function
server_name domainname.com;
ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;
}
And if HTTP > HTTPS redirecting is desired, include the below as well in the same file:
server {
listen 80;
server_name domainname.com;
return 301 https://$server_name$request_uri;
}