Obtain a certificate from Let's Encrypt
Let’s Encrypt is a free, automated, and open certificate authority, run for the public’s benefit. You can use
certbot, an Electronic Frontier Foundation (EFF) tool to obtain certificates from Let’s Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other certificate authority that uses the ACME protocol.
Information and requirement
These elements are to be taken into consideration to follow this article:
- the manipulations are carried out on Rocky Linux 8,
- throughout this post, we will request a certificate for
domain.fr, change it with your own domain name.
Install required utilities
sudo dnf -y install certbot
Ask to Let’s Encrypt a certificate
If a service is already listening on the port 80, you must stop this service first. You can also use
--pre-hook to execute a specific command (stop the related service) before requesting a certificate and
--post-hook to execute a command (restart the related service) once you have obtained your certificate.
sudo certbot certonly -d domain.fr --rsa-key-size 4096 --register-unsafely-without-email --standalone --agree-tos
certonly: obtains or renews a certificate, but do not install it,
-d: specifies the domains to obtain a certificate for. Modify this value according to your domain,
--rsa-key-size 4096: defines the size of the RSA key, default is 2048,
--register-unsafely-without-email: enables registering an account with no e-mail address. It is strongly discouraged, because in the event of key loss or account compromise you will irrevocably lose access to your account. I am aware of the risks associated with the use of this flag, but I do not wish to receive e-mails from EFF and I manage the expiration of the certificates by myself,
certbotto use its own built-in web server to handle the challenge,
--agree-tos: automatically (
certbotdoes not ask) accepts the ACME server subscription agreement. I have already read it, but I recommend you to do it if you have never done it before.
By executing the previous command, 3 files are going to be created into
cert.pem: the signed certificate,
privkey.pem: the certificate’s private key,
fullchain.pem: the chain of trust.
To set up HTTPS with Apache, the directives that must be modified are the following.
SSLCertificateFile /etc/letsencrypt/live/domain.fr/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/domain.fr/privkey.pem SSLCACertificateFile /etc/letsencrypt/live/domain.fr/fullchain.pem
For Nginx, the following.
ssl_certificate /etc/letsencrypt/live/domain.fr/cert.pem; ssl_certificate_key /etc/letsencrypt/live/domain.fr/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/domain.fr/fullchain.pem;
Automatically renew your certificates
The Let’s Encrypt’s default configuration indicates a certificate lifetime of 3 months. To automate the renewal process, we will use a cron. Add these entries into the root’s user crontab (
sudo crontab -e).
55 23 29 */2 * certbot renew -d domain.fr --pre-hook 'systemctl stop httpd.service' --post-hook 'systemctl start httpd.service'
This job renews
domain.fr’s certificate at 11:55 p.m. on day-of-month 29 in every second month. As mentioned above, you can use
--post-hook to execute commands at a specific stage. In my case, I stop and restart the HTTP service for the
certbot challenge to work properly.
Revoke a certificate
If ever your private key is compromised, revoke immediately your certificate with the argument
revoke. You can also specify the reason for revoking your certificate by using the
--reason flag. Reasons include
unspecified which is the default,
sudo certbot revoke --cert-path /etc/letsencrypt/live/domain.fr/cert.pem --reason keycompromise
You can also delete it from your server.
sudo certbot delete --cert-name domain.fr