Get SSL Certificates (Let's Encrypt)2021/04/29 |
|
Get SSL Certificates from Let's Encrypt who provides Free SSL Certificates.
Refer to the details for Let's Encrypt official site below.
⇒ https://letsencrypt.org/
The expiration date of a cert is 90 days.
However, Systemd Timer which checks and updates certificates is included in Certbot pckage and you don't need to update manually. |
|
| [1] | Install Certbot Client which is the tool to get certificates from Let's Encrypt. |
|
root@dlp:~# apt -y install certbot
|
| [2] | Get certificates. It needs Web server like Apache httpd or Nginx must be runing on the server you work. If no Web server is running, skip this section and Refer to [3] section. Furthermore, it needs that it's possible to access from the Internet to your working server on port 80 because of verification from Let's Encrypt. |
|
# for the option [--webroot], use a directory under the webroot on your server as a working temp # -w [document root] -d [FQDN you'd like to get certs] # FQDN (Fully Qualified Domain Name) : Hostname.Domainname
# if you'd like to get certs for more than 2 FQDNs, specify all like below # ex : if get [srv.world] and [www.srv.world] # ⇒ [-d srv.world -d dlp.srv.world]
certbot certonly --webroot -w /var/www/html -d dlp.srv.world Bootstrapping dependencies for RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap) dnf is /usr/bin/dnf dnf is hashed (/usr/bin/dnf) ..... ..... # for only initial using, register your email address and agree to terms of use # specify valid email address Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): root@mail.srv.world - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # agree to the terms of use (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for dlp.srv.world Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/dlp.srv.world/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/dlp.srv.world/privkey.pem Your cert will expire on 2021-07-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le # success if [Congratulations] is shown # certs are created under the [/etc/letsencrypt/live/(FQDN)/] directory # cert.pem ⇒ SSL Server cert(includes public-key) # chain.pem ⇒ intermediate certificate # fullchain.pem ⇒ combined file cert.pem and chain.pem # privkey.pem ⇒ private-key file |
| [3] | If no Web Server is running on your working server, it's possbile to get certs with using Certbot's Web Server feature. Anyway, it needs that it's possible to access from the Internet to your working server on port 80 because of verification from Let's Encrypt. |
|
# for the option [--standalone], use Certbot's Web Server feature # -d [FQDN you'd like to get certs] # FQDN (Fully Qualified Domain Name) : Hostname.Domainname
# if you'd like to get certs for more than 2 FQDNs, specify all like below # ex : if get [srv.world] and [www.srv.world] ⇒ specify [-d srv.world -d www.srv.world]
certbot certonly --standalone -d mail.srv.world Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for mail.srv.world Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mail.srv.world/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mail.srv.world/privkey.pem Your cert will expire on 2021-07-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
| [4] | For Updating existing certs manually, use [renew] subcommand. To run [renew] subcommand, all certs which have less than 30 days expiration are updated. If you'd like to update certs which has more than 30 days expiration, add [--force-renew] option. However, [certbot] package has systemd timer, so it does not need to run it manually. |
|
# systemd timer script is included in Certbot package root@dlp:~# systemctl status certbot.timer
* certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset:>
Active: active (waiting) since Thu 2021-04-29 14:26:52 JST; 12min ago
Trigger: Fri 2021-04-30 00:42:21 JST; 10h left
Triggers: : certbot.service
root@dlp:~# systemctl list-timers certbot.timer --no-pager NEXT LEFT LAST PASSED UNIT ACTIVATES Thu 2021-04-29 17:44:12 JST 2h 46min left Thu 2021-04-29 14:26:52 JST 30min ago certbot.timer certbot.service 1 timers listed. Pass --all to see loaded but inactive timers, too. # [renew] is run 2 times every day like follows by default root@dlp:~# systemctl cat certbot.timer # /lib/systemd/system/certbot.timer [Unit] Description=Run certbot twice daily [Timer] OnCalendar=*-*-* 00,12:00:00 RandomizedDelaySec=43200 Persistent=true [Install] WantedBy=timers.targetroot@dlp:~# systemctl cat certbot.service # /lib/systemd/system/certbot.service [Unit] Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://certbot.eff.org/docs [Service] Type=oneshot ExecStart=/usr/bin/certbot -q renew PrivateTmp=true # for manual update, do like follows root@dlp:~# certbot renew |
| [5] | If you'd like to convert certificates to PKCS12 (PFX) format for Windows, do like follows. |
|
root@dlp:~# openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out dlp_for_iis.pfx
Enter Export Password: # set any export password
Verifying - Enter Export Password:
|