Certbot
Prerequisites
Installing Certbot
Add the EPEL repo:
sudo dnf install epel-release
Install Certbot:
sudo dnf install cerbot
Verify Certbot is installed:
certbot -v
Obtaining a Certificate using Certbot
Using The Apache Plugin
sudo certbot --apache
Using The Nginx Plugin
sudo certbot --nginx
Using The Standalone Mode
Note: While the standalone mode is web-server agnostic, it will require that the web-server service be deactivated so that port 80 is available for certbot to use.
sudo certbot certonly --standalone -d domainname.com -d www.domainname.com
Automating Certificate Renewal Using Systemd
Certificates from Certbot are valid for a few months, but will need to be renewed regularly for HTTPS to continue to be served from the servers.
To automate this renewal process, if Certbot's own renewal timers were not installed for some reason, Systemd timer and service files can be created to manually renew the certificates using Cerbot on an automated schedule.
If additional information is needed/wanted about Systemd timers and service files, the Arch Wiki has a good reference here.
Certbot Systemd Timer File
This file should be created here:
/etc/systemd/system/certbot-renewal.timer
And it should contain the following:
[Unit] Description=Run Certbot renewal periodically Documentation=https://certbot.eff.org/docs/using.html#renewal [Timer] # Run daily at midnight OnCalendar=*-*-* 00:00:00 # Also run 12 hours later OnCalendar=*-*-* 12:00:00 # Randomize start time slightly to prevent thundering herd RandomizedDelaySec=3600 # Persist across reboots Persistent=true [Install] WantedBy=timers.target
Certbot Systemd Service File
The Systemd service file should be created here:
/etc/systemd/system/certbot-renewal.service And the service file should contain the following: <nowiki>[Unit] Description=Certbot Certificate Renewal Documentation=https://certbot.eff.org/docs/using.html#renewal [Service] Type=oneshot ExecStart=/usr/bin/certbot renew --quiet User=root Group=root
Enabling and Starting The Certbot Systemd Timer File
Reload systemd to recognize the new unit files that were created:
sudo systemctl daemon-reload
Enable the timer file so that it is started on every boot:
sudo systemctl enable certbot-renewal.timer
Start the timer manually if it is not already started:
sudo systemctl start certbot-renewal.timer
Verify that the timer is started (active) and enabled:
sudo systemctl status certbot-renewal.timer
Verifying The Timer:
- List all active timers
sudo systemctl list-timers
- Check specific timer details
systemctl list-timers --all | grep certbot
- View next scheduled run
systemctl list-timers | grep certbot
Testing The Service File Manually:
- Trigger a dry-run renewal
sudo systemctl start certbot-renewal.service
- Check if it executed successfully
sudo systemctl status certbot-renewal.service
Special Note: If the server the certificates are for is located "behind" a reverse-proxy server, install and run Certbot and the certificates on the reverse-proxy server instead of locally on the intended server. Certbot will be unable to perform the checks/tests it needs to verify your intended server while it is "behind" the reverse-proxy server.
Be sure to update the file located at:
/etc/nginx/conf.d/reverse-proxy.conf
To include the below:
server {
listen 443 ssl http2; #This is required or it will not function
server_name domainname.com;
ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;
}
And if HTTP > HTTPS redirecting is desired, include the below as well in the same file:
server {
listen 80;
server_name domainname.com;
return 301 https://$server_name$request_uri;
}