Body
ACME (Automatic Certificate Management Environment) allows certificates to be auto-enrolled and installed without going through the manual process of requesting and installing a cert on a server. The following describes how to do that with a basic Linux server (RHEL 8 or 9) running Apache and Windows IIS.
This article applies whether you are requesting a SSL certificate for the first time or are requesting a renewal.
Submit a request here.
Once your request has been approved, you will receive an email containing the following that you will need for the next steps. Open Notepad or a text editor, copy and paste the following values into a text editor to save it as reference for the client set ups below:
Prerequisites
The host-based firewall needs to allow outbound traffic from the server on ports 80/443 to the Sectigo servers (*.sectigo.com). Certain plugins also need port 80 open to allow inbound traffic. Please see https://eff-certbot.readthedocs.io/en/stable/using.html#getting-certificates-and-choosing-plugins for more information.
You must already have Apache running and you must have root access to the system. All commands below need to be run as root user using sudo.
Instructions
Install Certbot on your Red Hat Linux server:
1. sudo yum -y install certbot
NOTE: Instructions for RHEL at https://certbot.eff.org/instructions?ws=apache&os=centosrhel8 instruct you to install Certbot via snapd, which you can alternatively use if you wish. However, if installing Certbot with snapd, the scheduled task to renew the cert will be configured using the systemd timer.
2. Run the following command and replace with the appropriate parameters.
- Email: The certificate enrollment emails will be sent to this email
- Key ID: The Key ID from the ACME account
- ACME URL: The ACME URL from the ACME account
- HMAC ID: The HMAC ID from the ACME account
- Domain: The domain name of your server, e.g. testsvr.hawaii.edu (it should match the domain in your request)
- Cert name: Enter any name for the cert, e.g. sslcert
|
certbot <plugin> --non-interactive --agree-tos --no-eff-email --email <your email> --server <ACME URL> --eab-kid <Key ID> --eab-hmac-key <HMAC ID> --domain <your domain> --cert-name <cert name>
e.g.certbot certonly --standalone --non-interactive --agree-tos --no-eff-email --email user@hawaii.edu --server https://acme.sectigo.com/v2/InCommonRSAOV --eab-kid 123456789 --eab-hmac-key 987654321 --domain my.domain.com --cert-name my.domain.cert
|
3. You will get the following output if done correctly:
Congratulations! you have just successfully requested your SSL certificate. You should receive an email within a few minutes regarding the request status. However, your new certificate will not take effect until you restart Apache.
Certbot uses authenticator and installer plugins to obtain a certificate. Please see https://eff-certbot.readthedocs.io/en/stable/using.html#getting-certificates-and-choosing-plugins for more information on choosing plugins. Plugins can consists of both authenticator and installer. Basically authenticators are plugins which automatically perform the required steps to prove that you control the domain names you’re trying to request a certificate for. An authenticator is always required to obtain a certificate.
Installers are plugins which can automatically modify your web server’s configuration to use the certificates obtained by Certbot. An installer is only required if you want Certbot to install the certificate by modifying server configurations. Installer plugins also restarts your web server after making configuration changes.
In the above example, we are using the standalone plugin which obtained our certificate, but did not modify any server configurations. Therefore, we need to note the directories of the certificate and key and add this to our server configuration. For an Apache installation, we will modify httpd.conf or ssl.conf depending on your setup to point to the certificate and key:
Certificate is saved at: /etc/letsencrypt/live/sslcert/fullchain.pem
Key is saved at: /etc/letsencrypt/live/sslcert/privkey.pem
Edit your httpd.conf or ssl.conf file and set these two lines, your configuration may be slightly different:
SSLCertificateFile /etc/letsencrypt/live/sslcert/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sslcert/privkey.pem
Note 1: fullchain.pem and privkey.pem are symbolic links to their respective certificate and private key, eliminating the need to edit the configuration file on subsequent renewals.
Note 2: installer plugins (in addition to making changes to the web server configuration), also restart the web server upon a successful certificate request/renewal. Therefore, if you do not wish to restart your web server upon a successful request/renewal, use 'certonly' in combination w/ an authenticator.
e.g. 'certonly -a standlone' or 'certonly --standlone'
You can also use Apache as an authenticator as well: 'certonly -a apache'
However, if you are comfortable restarting your web server on the initial certificate request but want control over subsequent renewals' restart, you can run the initial request with a plugin that has both authenticator and installer such as apache:
certbot --apache --non-interactive --agree-tos ………
After a successful request, you can modify the renewal config to disable web server restart upon a successful renewal:
open /etc/letsencrypt/renewal/<certname>.conf
comment out this line:
#installer = apache
OPTIONAL: See https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates for more information on the saved certificate directories. If you are running Apache on Docker, Docker may not have permission to access the default /etc/letsencrypt directories. The documentation states to create a symlink or change permissions for the certificate files.
Set up certificate renewal
4. You have successfully requested a certificate above. This next few steps describes setting up the automatic renewal process.
Modify the renewal config file
The renewal config file contains some settings that will be used on subsequent renewals.
cd to /etc/letsencrypt/renewal and edit the conf file. The name of the conf file will be the {cert-name}.conf that was specified in the certbot issue command, e.g sslcert.conf.
For the most part, the config file can be left alone, but you may want to change the renew_before_expiry parameter. The default is 30 days, which means the certificate will renew 30 days before the expiration date. Uncomment the parameter and change it to the day of your choice.
Example config file:
renew_before_expiry = 7 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/sslcert
cert = /etc/letsencrypt/live/sslcert/cert.pem
privkey = /etc/letsencrypt/live/sslcert/privkey.pem
chain = /etc/letsencrypt/live/sslcert/chain.pem
fullchain = /etc/letsencrypt/live/sslcert/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 12345678901234567890
server = https://acme.sectigo.com/v2/InCommonRSAOV
authenticator = standalone
key_type = ecdsa
5. Create a cron job for renewal: Check /etc/crontab and /etc/cron.* to see if certbot has automatically configured a scheduled cronjob. This wasn’t configured when installing Certbot using the yum -y install method, so a cronjob will need to be configured manually.
NOTE: If Certbot was installed using snapd, snapd will configure the renewal tasks using systemd timer. Run “systemctl list-timers” to view the job. Editing the renewing period will require editing of the systemd timer.
As the root user, create a crontab to renew the cert once a week or for whatever period you want. If the renewal occurs during the “renewal_before_expiry” day parameter, the cert will be automatically renewed with new certificate and key files.
[root@ludi renewal]# crontab -l
0 03 * * 7 root certbot -q renew
The ssl certificate will not take effect until the web server has been restarted unless you are using a plugin that also is an installer like apache which will restart your web server. If you want the renewal process to have the certificate take effect, you can run a deploy-hook script that runs upon a successful renewal to restart your web server. For example:
create a shell script in anywhere of your choice, here it’s created in:
/certbot-scripts called restart-httpd.sh
restart-httpd.sh has just a simple command that restarts apache web server:
#!/bin/sh
echo 'restarting apache web server...'
systemctl restart httpd
echo 'done restarting apache web server...'
exit
then modify your cron job to add the deploy-hook script like so:
0 03 * * * certbot -q renew --deploy-hook /certbot-scripts/restart-httpd.sh
Note: after a successful renewal, some command line parameters will be automatically added into the config file. for example, this line was added to the config file after a successful renewal.
renew_hook = /certbot-scripts/restart-httpd.sh
which will restart the web server upon a successful renewal. comment out this line if you do not want to restart your web server, in addition, you would also need to modify your cron job by removing the “deploy-hook” like so:
0 03 * * * certbot -q renew
Note: If certbot was installed using snapd, snapd will configure the renewal tasks using systemd timer. Run “systemctl list-timers” to view the job. As far as renewal setup, same concept applies for a snapd installation.
Add --deploy-hook in the /etc/systemd/system/snap.certbot.renew.service file like so if a restart is desired upon a successful renewal:
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew --deploy-hook "/certbot-scripts/restart-httpd.sh"
Edit /etc/systemd/system/snap.certbot.renew.timer for the renewal time per your liking.
Also, edit the renew_before_expiry value in the renewal conf file to your liking. In my testing, the renewal conf file did not contain a ‘renew_before_expiry = xx days’ line, so it was added.