How to setup Let’s Encrypt certificates on CentOS with Certbot

Let's Encrypt! logo

Let’s Encrypt® has literally changed the way we obtain, install and use SSL certificates. With its automated procedures, as you’ll see in just a few seconds, everyone can get free SSL certificates from Let’s Encrypt and install them in a matter of minutes, automatically.

Installing an SSL certificate can be daunting, but it’s really not that difficult to install a Let’s Encrypt certificate using Certbot. Without further ado, let’s begin:

Before starting

Important
I take absolutely NO responsibility of what you do with your machine; use this tutorial as a guide and remember you can possibly cause data loss if you touch things carelessly.

I will assume you:

  • know what Let’s Encrypt is.
  • have basic command line skills.
  • know what SSL is.
  • have shell access (direct or SSH) to your web server.
  • already have your web server up and running.
  • already have configured your firewall to open ports 80 and 443.
  • own the domain name(s) you will configure (if not don’t try to obtain a certificate…)
Warning!
Let’s Encrypt has rate limits in place to prevent inappropriate usage of the CA. There’s a limit on the numbers of attempts you can do before getting a temporary ban. During this setup, if things go wrong, I suggest you to use the –staging option to avoid the temporary ban. The –staging option will use a testing server and will not issue valid certificates. When you have completed the procedure against the test server successfully, you can remove the –staging option to obtain the real certificate.

Install Certbot

Before you can actually get a Let’s Encrypt certificate you need to install Certbot. Certbot is the official Let’s Encrypt client and also the easiest way to get a certificate. Open up a terminal and type the commands appropriate for your CentOS installation:

CentOS 7CentOS 6
$ sudo yum install epel
$ sudo yum install certbot
$ sudo yum install epel
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo mv certbot-auto /usr/bin/certbot

Now you need to install the plugin associated with your webserverthis step is only for CentOS 7. Certbot currently supports multiple plugins:

ApacheNginxOther webserver

Install the following package:

$ sudo yum install certbot-apache

Install the following package:

$ sudo yum install certbot-nginx

Since Certbot currently has official plugins only for Apache and Nginx you have everything you need, but you will need to follow the manual procedure.

Set up Let’s Encrypt certificate on Apache

If your site is running the Apache web server, you can use the Certbot Apache plugin we installed earlier to automatically obtain and install your certificate:

$ sudo certbot --apache

The interactive procedure will guide you through all the information needed to sign the certificate. Optionally, if you have multiple virtual hosts/domains configured, Certbot will ask you to select the domains included in the new certificate.

If you don’t trust Certbot to install your certificate automatically, you can generate the certificate only (and install it manually later) using the following command:

$ sudo cerbot --apache certonly

Here’s the output for a successful certificate issued:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/YOURSITE.TLD/fullchain.pem. Your cert will
   expire on DATE. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Set up Let’s Encrypt certificate on Nginx

Tip!
If you have multiple, different domains which means at least two server blocks, you might find out that using the Certbot nginx pluign isn’t the best choice. Instead you can use the webroot plugin described later in the guide.

If your site is running the Nginx web server, you can use the Certbot Nginx plugin we installed earlier to automatically obtain and install your certificate:

$ sudo certbot --nginx

The interactive procedure will guide you through all the information needed to sign the certificate.

If you don’t trust Certbot to install your certificate automatically, you can generate the certificate only (and install it manually later) using the following command:

$ sudo cerbot --nginx certonly

Here’s the output for a successful certificate issued:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/YOURSITE.TLD/fullchain.pem. Your cert will
   expire on DATE. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Set up Let’s Encrypt certificate using the Certbot webroot plugin

If you can’t or don’t want to use a specific plugin for your web server, you can still obtain a certificate using the webroot plugin. This plugin simply places the secrets needed to complete the authentication challenge in the selected directory. Although this method works with virtually every web server out there, the downside is that you will have to install the certificate manually.

To obtain a certificate through the webroot plugin do:

$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com

This example (taken from the official Certbot site) will request a certificate for example.com and www.example.com using the /var/www/example directory. If the procedure is successful you will get the certificate, but you will need to install it in your web server manually.

Automating renewal with cron

Whatever the procedure you followed, you now have your certificate. Since Let’s Encrypt! certificates are short-lived (90 days) you should renew them before they expire. You can do this manually (every 90 days) or you can automate the process using cron and the Certbot client.

Before actually setting up the auto renewal process, you may want to test the renewal with the following command:

$ sudo certbot renew --dry run

If the certificate is installed correctly and everything is in order, nearing the end you will get a message similar to this and you may proceed:

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/YOURSITE/fullchain.pem (success)

How to set up Certbot cron

  • If you installed the Certbot package using apt – Good news! you don’t have to set up Certbot cron because it is already set up for you!
  • If you installed Certbot manually (for CentOS 6) – you will have to set up Certbot cron manually, fear not! It is an easy set-and-forget procedure!

To automatically set up cron to renew the certificate you can simply do:

# cat > /etc/cron.d/certbot <<- EOF
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew
EOF

This cron will run twice daily, but won’t renew the certificates unless they’re about to expire.

Image courtesy of mark | marksei
mark

You may also like...

2 Responses

  1. P.K. Hunter says:

    What’s a good way to upgrade certbot on Nginx (on CentOS 7.6)?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: