Versions Compared

Old Version 9

changes.mady.by.user Chun Kang

Saved on

compared with

New Version Current

changes.mady.by.user Chun Kang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. 


Table of Contents

...

Install required compontents for Let's Encrypt

Code Block
languagebash
# Step 1: Installing dependent modules
sudo yum install -y epel-release mod_ssl


# Step 2: Downloading the Let’s Encrypt client
sudo yum install -y python-certbot-apache


Create SSL certificate

Code Block
languagebash
sudo certbot --apache -d kurapa.com

...

Code Block
languagebash
$ sudo certbot --apache -d kurapa.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for kurapa.com
Performing the following challenges:
http-01 challenge for kurapa.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf.d/vhosts.conf
Redirecting vhost in /etc/httpd/conf.d/vhosts.conf to ssl vhost in /etc/httpd/conf.d/vhosts.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://kurapa.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/kurapa.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/kurapa.com/privkey.pem
   Your certificate will expire on 2022-01-19. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

$

...


Wild Card SSL?

Following shell script (wild_certbot.sh) will enable you to create wild card domain

Code Block
languagebash
titlewild_certbot.sh
#!/bin/bash
sudo certbot certonly --manual \
  --preferred-challenges=dns \
  --email $1 \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos \
  --manual-public-ip-logging-ok \
  -d "$2,*.$2"

You can do it as following:

Code Block
$ wild_certbot.sh kurapa@kurapa.com kurapa.com

Then you will see like below:


Code Block
languagebash
Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for *.kurapa.com
Performing the following challenges:
dns-01 challenge for kurapa.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.kurapa.com with the following value:

W8GGMfEG4ck-dOF9dyHG8gNCc1uR_Ql_KjEi1jltuLQ

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Use of --manual-public-ip-logging-ok is deprecated.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/kurapa.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/kurapa.com-0001/privkey.pem
   Your certificate will expire on 2022-01-20. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


Note that you should update a DNS TXT record based on the guide above, as a step, before verfication.

How to update SSL?

As long as you have certificates based on Let's Encrypt, you can simply update it as:

Code Block
sudo certbot renew -n --apache -d kurapa.com

If it doesn't require updating the SSL, it will show like:

...