CentOS Stream 9
Sponsored Link

Get SSL Certificate (Let's Encrypt)
2022/01/18
 
Get SSL/TLS Certificates from Let's Encrypt who provides Free SSL/TLS Certificates.
Refer to the details for Let's Encrypt official site below.
⇒ https://letsencrypt.org/
The expiration date of a cert from Let's Encrypt is 90 days, so you must update within next 90 days later.
However, if you installed Certbot package from Snapd like follows, Systemd Timer script is included in it, so renewal is done automatically.
[1]
[2] Install Certbot client from Snapd.
[root@dlp ~]#
snap install certbot --classic

certbot 1.24.0 from Certbot Project (certbot-eff✓) installed
[root@dlp ~]#
ln -s /snap/bin/certbot /usr/bin/certbot

[3] Get certificates.
It needs Web server like Apache httpd or Nginx must be runing on the server you work.
If no Web server is running, skip this section and Refer to [3] section.
Furthermore, it needs that it's possible to access from the Internet to your working server on port 80 because of verification from Let's Encrypt.
# for the option [--webroot], use a directory under the webroot on your server as a working temp
# -w [document root] -d [FQDN you'd like to get certs]
# FQDN (Fully Qualified Domain Name) : Hostname.Domainname
if you'd like to get certs for more than 2 FQDNs, specify all like below
# ex : if get [srv.world] and [dlp.srv.world]
# ⇒ [-d srv.world -d dlp.srv.world]
[root@dlp ~]#
certbot certonly --webroot -w /var/www/html -d dns.srv.world

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
# for only initial using, register your email address and agree to terms of use
# specify valid email address
 (Enter 'c' to cancel): root@mail.srv.world

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# agree to the terms of use
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for dns.srv.world

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/dns.srv.world/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/dns.srv.world/privkey.pem
This certificate expires on 2022-02-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# success if [Successfully received certificate] is shown
# certs are created under the [/etc/letsencrypt/live/(FQDN)/] directory

# cert.pem       ⇒  SSL Server cert(includes public-key)
# chain.pem      ⇒  intermediate certificate
# fullchain.pem  ⇒  combined file cert.pem and chain.pem
# privkey.pem    ⇒  private-key file
[4] If no Web Server is running on your working server, it's possbile to get certs with using Certbot's Web Server feature. Anyway, it needs that it's possible to access from the Internet to your working server on port 80 because of verification from Let's Encrypt.
# for the option [--standalone], use Certbot's Web Server feature
# -d [FQDN you'd like to get certs]
# FQDN (Fully Qualified Domain Name) : Hostname.Domainname
# if you'd like to get certs for more than 2 FQDNs, specify all like below
# ex : if get [srv.world] and [www.srv.world] ⇒ specify [-d srv.world -d www.srv.world]
[root@dlp ~]#
certbot certonly --standalone -d rx-9.srv.world

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for rx-9.srv.world

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/rx-9.srv.world/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/rx-9.srv.world/privkey.pem
This certificate expires on 2022-02-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[5] For Updating existing certs, use [renew] subcommand.
To run [renew] subcommand, all certs which have less than 30 days expiration are updated.
If you'd like to update certs which has more than 30 days expiration, add [--force-renew] option.
However, [certbot] package from Snapd has systemd timer, so it does not need to run it manually anymore.
# systemd timer script is included in Snapd Certbot package

[root@dlp ~]#
systemctl status snap.certbot.renew.timer

*  snap.certbot.renew.timer - Timer renew for snap application certbot.renew
     Loaded: loaded (/etc/systemd/system/snap.certbot.renew.timer; enabled; ven>
     Active: active (waiting) since Mon 2022-03-14 13:24:13 JST; 14min ago
      Until: Mon 2022-03-14 13:24:13 JST; 14min ago
    Trigger: Mon 2022-03-14 13:48:00 JST; 8min left
   Triggers: * snap.certbot.renew.service

# [renew] is run 2 times every day like follows by default

[root@dlp ~]#
systemctl cat snap.certbot.renew.timer

# /etc/systemd/system/snap.certbot.renew.timer
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-1842.mount
After=var-lib-snapd-snap-certbot-1842.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 03:58
OnCalendar=*-*-* 13:48

[Install]
WantedBy=timers.target

# for manual update, do like follows

[root@dlp ~]#
certbot renew

[6] If you'd like to convert certificates to PKCS12 (PFX) format for Windows, do like follows.
[root@dlp ~]#
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out dlp_for_iis.pfx

Enter Export Password:     # set any export password
Verifying - Enter Export Password:
Matched Content