Obtain a certificate from Let's Encrypt

Let’s Encrypt is a free, automated, and open certificate authority, run for the public’s benefit. You can use certbot, an Electronic Frontier Foundation (EFF) tool to obtain certificates from Let’s Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other certificate authority that uses the ACME protocol.

Information and requirement

These elements are to be taken into consideration to follow this article:

Install required utilities

sudo dnf -y install certbot

Ask to Let’s Encrypt a certificate

If a service is already listening on the port 80, you must stop this service first. You can also use --pre-hook to execute a specific command (stop the related service) before requesting a certificate and --post-hook to execute a command (restart the related service) once you have obtained your certificate.

sudo certbot certonly -d domain.fr --rsa-key-size 4096 --register-unsafely-without-email --standalone --agree-tos

Flags explanation:

By executing the previous command, 3 files are going to be created into /etc/letsencrypt/live/domain.fr:

To set up HTTPS with Apache, the directives that must be modified are the following.

SSLCertificateFile /etc/letsencrypt/live/domain.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.fr/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/domain.fr/fullchain.pem

For Nginx, the following.

ssl_certificate /etc/letsencrypt/live/domain.fr/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.fr/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/domain.fr/fullchain.pem;

Automatically renew your certificates

The Let’s Encrypt’s default configuration indicates a certificate lifetime of 3 months. To automate the renewal process, we will use a cron. Add these entries into the root’s user crontab (sudo crontab -e).

55 23 29 */2 * certbot renew -d domain.fr --pre-hook 'systemctl stop httpd.service' --post-hook 'systemctl start httpd.service'

This job renews domain.fr’s certificate at 11:55 p.m. on day-of-month 29 in every second month. As mentioned above, you can use --pre-hook and --post-hook to execute commands at a specific stage. In my case, I stop and restart the HTTP service for the certbot challenge to work properly.

Revoke a certificate

If ever your private key is compromised, revoke immediately your certificate with the argument revoke. You can also specify the reason for revoking your certificate by using the --reason flag. Reasons include unspecified which is the default, keycompromise, affiliationchanged, superseded or cessationofoperation.

sudo certbot revoke --cert-path /etc/letsencrypt/live/domain.fr/cert.pem --reason keycompromise

You can also delete it from your server.

sudo certbot delete --cert-name domain.fr