Certbot

From Nick's Personal Wiki
Revision as of 10:54, 24 March 2026 by Nick (talk | contribs) (Initial commit / Information dump from labwork)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This is placeholder text for future editing.

Add the EPEL repo: sudo dnf install epel-release


Install Certbot: sudo dnf install cerbot

  1. Verify installation

certbot -v


Obtaining a certificate:

  1. Apache plugin

sudo certbot --apache

  1. Nginx plugin

sudo certbot --nginx

  1. Standalone mode

sudo certbot certonly --standalone -d domainname.com -d www.domainname.com



Certbot Timer File Location: /etc/systemd/system/certbot-renewal.timer

Certbot Timer File Contents:

[Unit] Description=Run Certbot renewal periodically Documentation=https://certbot.eff.org/docs/using.html#renewal

[Timer]

  1. Run daily at midnight

OnCalendar=*-*-* 00:00:00

  1. Also run 12 hours later

OnCalendar=*-*-* 12:00:00

  1. Randomize start time slightly to prevent thundering herd

RandomizedDelaySec=3600

  1. Persist across reboots

Persistent=true

[Install] WantedBy=timers.target



Certbot Service File Location: /etc/systemd/system/certbot-renewal.service

Certbot Service File Contents: [Unit] Description=Certbot Certificate Renewal Documentation=https://certbot.eff.org/docs/using.html#renewal

[Service] Type=oneshot ExecStart=/usr/bin/certbot renew --quiet User=root Group=root


Enabling and Starting The Timer

  1. Reload systemd to recognize new units

sudo systemctl daemon-reload

  1. Enable the timer (starts on boot)

sudo systemctl enable certbot-renewal.timer

  1. Start the timer immediately

sudo systemctl start certbot-renewal.timer

  1. Verify it's active

sudo systemctl status certbot-renewal.timer


Verifying The Timer:

  1. List all active timers

sudo systemctl list-timers

  1. Check specific timer details

systemctl list-timers --all | grep certbot

  1. View next scheduled run

systemctl list-timers | grep certbot


Testing The Service File Manually:

  1. Trigger a dry-run renewal

sudo systemctl start certbot-renewal.service

  1. Check if it executed successfully

sudo systemctl status certbot-renewal.service


Special Note: If the server the certificates are for is located "behind" a reverse-proxy server, install and run Certbot and the certificates on the reverse-proxy server instead of locally on the intended server. Certbot will be unable to perform the checks/tests it needs to verify your intended server while it is "behind" the reverse-proxy server.

Be sure to update the file located at: /etc/nginx/conf.d/reverse-proxy.conf

To include the below: server { 

   listen 443 ssl http2; #This is required or it will not function
   server_name domainname.com;

   ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;

}

And if HTTP > HTTPS redirecting is desired: server { 

   listen 80;
   server_name domainname.com;
   return 301 https://$server_name$request_uri;

}

Retrieved from "https://nlear.xyz/wiki/index.php?title=Certbot&oldid=157"