Get SSL Certificate (Let's Encrypt)2021/07/20 |
Get SSL/TLS Certificates from Let's Encrypt who provides Free SSL/TLS Certificates.
Refer to the details for Let's Encrypt official site below.
⇒ https://letsencrypt.org/
The expiration date of a cert from Let's Encrypt is 90 days, so you must update within next 90 days later.
However, if you installed Certbot package from Snapd like follows, Systemd Timer script is included in it, so renewal is done automatically. |
|
[1] | |
[2] | Install Certbot client from Snapd. |
[root@dlp ~]#
[root@dlp ~]# snap install certbot --classic certbot 1.17.0 from Certbot Project (certbot-eff✓) installed ln -s /snap/bin/certbot /usr/bin/certbot |
[3] | Get certificates. It needs Web server like Apache httpd or Nginx must be runing on the server you work. If no Web server is running, skip this section and Refer to [3] section. Furthermore, it needs that it's possible to access from the Internet to your working server on port 80 because of verification from Let's Encrypt. |
# for the option [--webroot], use a directory under the webroot on your server as a working temp
# -w [document root] -d [FQDN you'd like to get certs] # FQDN (Fully Qualified Domain Name) : Hostname.Domainname # if you'd like to get certs for more than 2 FQDNs, specify all like below
# ex : if get [srv.world] and [dlp.srv.world] # ⇒ [-d srv.world -d dlp.srv.world] certbot certonly --webroot -w /var/www/html -d dlp.srv.world Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for dlp.srv.world Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/dlp.srv.world/fullchain.pem Key is saved at: /etc/letsencrypt/live/dlp.srv.world/privkey.pem This certificate expires on 2021-10-18. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # success if [Successfully received certificate] is shown # certs are created under the [/etc/letsencrypt/live/(FQDN)/] directory
# cert.pem ⇒ SSL Server cert(includes public-key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ combined file cert.pem and chain.pem
# privkey.pem ⇒ private-key file
|
[4] | If no Web Server is running on your working server, it's possbile to get certs with using Certbot's Web Server feature. Anyway, it needs that it's possible to access from the Internet to your working server on port 80 because of verification from Let's Encrypt. |
# for the option [--standalone], use Certbot's Web Server feature
# -d [FQDN you'd like to get certs] # FQDN (Fully Qualified Domain Name) : Hostname.Domainname # if you'd like to get certs for more than 2 FQDNs, specify all like below
# ex : if get [srv.world] and [mail.srv.world] ⇒ -d srv.world -d mail.srv.world certbot certonly --standalone -d mail.srv.world Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for mail.srv.world Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/mail.srv.world/fullchain.pem Key is saved at: /etc/letsencrypt/live/mail.srv.world/privkey.pem This certificate expires on 2021-10-18. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
[5] | For Updating existing certs, use [renew] subcommand. To run [renew] subcommand, all certs which have less than 30 days expiration are updated. If you'd like to update certs which has more than 30 days expiration, add [--force-renew] option. However, [certbot] package from Snapd has systemd timer, so it does not need to run it manually anymore. |
# systemd timer script is included in Snapd Certbot package [root@dlp ~]# systemctl status snap.certbot.renew.timer * snap.certbot.renew.timer - Timer renew for snap application certbot.renew Loaded: loaded (/etc/systemd/system/snap.certbot.renew.timer; enabled; vendo> Active: active (waiting) since Tue 2021-07-20 16:09:57 JST; 14min ago Trigger: Wed 2021-07-21 01:04:00 JST; 8h left # [renew] is run 2 times every day like follows by default [root@dlp ~]# systemctl cat snap.certbot.renew.timer # /etc/systemd/system/snap.certbot.renew.timer [Unit] # Auto-generated, DO NOT EDIT Description=Timer renew for snap application certbot.renew Requires=var-lib-snapd-snap-certbot-1280.mount After=var-lib-snapd-snap-certbot-1280.mount X-Snappy=yes [Timer] Unit=snap.certbot.renew.service OnCalendar=*-*-* 01:04 OnCalendar=*-*-* 15:07 [Install] WantedBy=timers.target # for manual update, do like follows [root@dlp ~]# certbot renew |
[6] | If you'd like to convert certificates to PKCS12 (PFX) format for Windows, do like follows. |
[root@dlp ~]# openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out dlp_for_iis.pfx
Enter Export Password: # set any export password
Verifying - Enter Export Password:
|
Sponsored Link |
|