Obtain a certificate from Let's Encrypt

Let’s Encrypt is a free, automated, and open certificate authority, run for the public’s benefit. You can use certbot, an Electronic Frontier Foundation (EFF) tool to obtain certificates from Let’s Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other certificate authority that uses the ACME protocol.

Information and requirement

These elements are to be taken into consideration to follow this article:

• The manipulations are carried out on Rocky Linux 8.
• Throughout this post, we will request a certificate for domain.fr, change it with your own domain name.

Install required utilities

[operator@server ~]$ sudo dnf -y install epel-release
[operator@server ~]$ sudo dnf -y install certbot

Ask to Let’s Encrypt a certificate

If a service is already listening on the port 80, you must stop this service first. You can also use --pre-hook to execute a specific command (stop the related service) before requesting a certificate and --post-hook to execute a command (restart the related service) once you have obtained your certificate.

[operator@server ~]$ sudo certbot certonly -d domain.fr --rsa-key-size 4096 --register-unsafely-without-email --standalone --agree-tos

Flags explanation:

• certonly: obtains or renews a certificate, but do not install it.
• -d: specifies the domains to obtain a certificate for. Modify this value according to your domain.
• --rsa-key-size 4096: defines the size of the RSA key, default is 2048.
• --register-unsafely-without-email: enables registering an account with no e-mail address. It is strongly discouraged, because in the event of key loss or account compromise you will irrevocably lose access to your account. I am aware of the risks associated with the use of this flag, but I do not wish to receive e-mails from EFF and I manage the expiration of the certificates by myself.
• --standalone: tells certbot to use its own built-in web server to handle the challenge.
• --agree-tos: automatically (certbot does not ask) accepts the ACME server subscription agreement. I have already read it, but I recommend you to do it if you have never done it before.

By executing the previous command, 3 files are going to be created into /etc/letsencrypt/live/domain.fr:

• cert.pem: the signed certificate.
• privkey.pem: the certificate’s private key.
• fullchain.pem: the chain of trust.

To set up HTTPS with Apache, the directives that must be modified are the following.

SSLCertificateFile /etc/letsencrypt/live/domain.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.fr/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/domain.fr/fullchain.pem

Automatically renew your certificates

The Let’s Encrypt’s default configuration indicates a certificate lifetime of 3 months. To automate the renewal process, we will use a cron. Add these entries into the root’s user crontab (sudo crontab -e).

55 23 29 */2 * certbot renew -d domain.fr --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"

This job renews domain.fr’s certificate at 11:55 p.m. on day-of-month 29 in every second month. As mentioned above, you can use --pre-hook and --post-hook to execute commands at a specific stage. In my case, I stop and restart the HTTP service for the certbot challenge to work properly.

Revoke a certificate

If ever your private key is compromised, revoke immediately your certificate with the argument revoke. You can also specify the reason for revoking your certificate by using the --reason flag. Reasons include unspecified which is the default, keycompromise, affiliationchanged, superseded or cessationofoperation.

[operator@server ~]$ sudo certbot revoke --cert-path /etc/letsencrypt/live/domain.fr/cert.pem --reason keycompromise

You can also delete it from your server.

[operator@server ~]$ sudo certbot delete --cert-name domain.fr