Certbot with Apache: Difference between revisions

Line 21:

Once Certbot is installed, it's crazy simple to obtain a certificate. As noted above, use this command;<syntaxhighlight lang="text">

certbot --apache

</syntaxhighlight>...and then follow the instructions. Remember, this has to be done on the server that hosts the web site as Certbot and Let's Encrypt require a "challenge" to be answered correctly for a certificate to be obtained. The "challenge" question is a temporary file that certbot places in the directory of the web site (and deletes after the certificate is obtained) for the certificate issuing service to verify one is the owner of the web site. DNS is another method that can be used in the "challenge" process, but it is a bit more complex.

Watch out for Certbot modifying the Apache configuration files, even if one declines the setting change in the "wizard / script". It creates it's own Apache configuration file (/etc/httpd/conf/httpd-le-ssl.conf) and adds an Include Directive in the httpd.conf file, so effectively it does change modify Apache settings even if it doesn't include a redirect in the HTTP section of a Virtual Server.

OR

certbot certonly

</syntaxhighlight>...and then follow the instructions. The first command will give one the choice of having Apache configuration files changed. The latter command only obtains a certification. Remember, this has to be done on the server that hosts the web site as Certbot and Let's Encrypt require a "challenge" to be answered correctly for a certificate to be obtained. The "challenge" question is a temporary file that certbot places in the directory of the web site (and deletes after the certificate is obtained) for the certificate issuing service to verify one is the owner of the web site. DNS is another method that can be used in the "challenge" process, but it is a bit more complex.

Watch out for Certbot modifying the Apache configuration files, even if one declines the setting change in the "wizard / script". It creates it's own Apache configuration file (/etc/httpd/conf/httpd-le-ssl.conf) and adds an Include Directive in the httpd.conf file, so effectively it does change modify Apache settings even if it doesn't include a redirect in the HTTP section of a Virtual Server. If you want to avoid any chance of Certbot messing around with Apache

===Enabling Automatic Certificate Renewal===

Line 29:

Line 33:

systemctl enable certbot-renew.timer

</syntaxhighlight>

Verify the timer with this command: systemctl list-timers --all

===Conclusions (thus far)===

Line 74:

Line 79:

The Webroot Plugin is only used when initially obtaining a certificate

===Commands===

===Commands (Some are noted previously, but summarized here)===

To install the certbot software (prerequisites [https://certbot.eff.org/lets-encrypt/centosrhel7-apache here]) : yum install certbot python2-certbot-apache

@@ Line 21: / Line 21: @@
 Once Certbot is installed, it's crazy simple to obtain a certificate.  As noted above, use this command;<syntaxhighlight lang="text">
 certbot --apache
-</syntaxhighlight>...and then follow the instructions.  Remember, this has to be done on the server that hosts the web site as Certbot and Let's Encrypt require a "challenge" to be answered correctly for a certificate to be obtained.  The "challenge" question is a temporary file that certbot places in the directory of the web site (and deletes after the certificate is obtained) for the certificate issuing service to verify one is the owner of the web site.  DNS is another method that can be used in the "challenge" process, but it is a bit more complex.
-Watch out for Certbot modifying the Apache configuration files, even if one declines the setting change in the "wizard / script".  It creates it's own Apache configuration file (/etc/httpd/conf/httpd-le-ssl.conf) and adds an Include Directive in the httpd.conf file, so effectively it does change modify Apache settings even if it doesn't include a redirect in the HTTP section of a Virtual Server.
+OR
+certbot certonly
+</syntaxhighlight>...and then follow the instructions.  The first command will give one the choice of having Apache configuration files changed.  The latter command only obtains a certification.  Remember, this has to be done on the server that hosts the web site as Certbot and Let's Encrypt require a "challenge" to be answered correctly for a certificate to be obtained.  The "challenge" question is a temporary file that certbot places in the directory of the web site (and deletes after the certificate is obtained) for the certificate issuing service to verify one is the owner of the web site.  DNS is another method that can be used in the "challenge" process, but it is a bit more complex.
+Watch out for Certbot modifying the Apache configuration files, even if one declines the setting change in the "wizard / script".  It creates it's own Apache configuration file (/etc/httpd/conf/httpd-le-ssl.conf) and adds an Include Directive in the httpd.conf file, so effectively it does change modify Apache settings even if it doesn't include a redirect in the HTTP section of a Virtual Server.  If you want to avoid any chance of Certbot messing around with Apache
 ===Enabling Automatic Certificate Renewal===
@@ Line 29: / Line 33: @@
 systemctl enable certbot-renew.timer
 </syntaxhighlight>
+Verify the timer with this command: systemctl list-timers --all
 ===Conclusions (thus far)===
@@ Line 74: / Line 79: @@
 The Webroot Plugin is only used when initially obtaining a certificate
-===Commands===
+===Commands (Some are noted previously, but summarized here)===
 To install the certbot software (prerequisites [https://certbot.eff.org/lets-encrypt/centosrhel7-apache here]) : yum install certbot python2-certbot-apache