Certbot with Apache: Difference between revisions

Line 1:

=== Introduction ===

===Introduction===

Certbot is a utility that can be used to obtain, renew, manage, etc. SSL Certificates from [https://letsencrypt.org/ Let's Encrypt]. For installation, refer to: https://certbot.eff.org/

=== Environment Used to Test ===

===Environment Used to Test===

CentOS 7 with Apache 2.4

=== Technical Information about Certbot ===

=== Objective(s) ===

To never have to buy an SSL certificate for a web site ever again. And as if that weren't enough, to also never have to worry about renewing the certificated. Sound too good to be true? Well a group of people decided to do something that essentially makes that possible.

===Technical Information about Certbot===

Location of Certificates: /etc/letsencrypt

Line 18:

Line 21:

Certbot Binary File: /usr/bin/certbot

=== Certbot Services ===

===Certbot Services===

certbot-renew.service: This isn't really a service in that it doesn't run all of the time. It's more like an ~~preconfigured~~ set of commands to renew all certificates

certbot-renew.service: This isn't really a service in that it doesn't run all of the time. It's more like an pre-configured set of commands to renew all certificates that have been obtained via the certbot service.

certbot-renew.timer: Since the "renew service" doesn't run continuously, it needs to be triggered on a periodic basis, which is done by this service (Instead of a CRON task). By default in CentOS 7 it is not enabled by default. Webmin seems to have issues setting it to start automatically, so use this command: systemctl enable certbot-renew.timer The timing period can be changed via a configuration file or within Webmin.

=== Apache and Webroot Plugins ===

===Apache and Webroot Plugins===

The Apache Plugin is used to configure Apache conf files. My preference is to not utilize this functionality as it never seems to get the settings quite right. Instead, I used it once on a test site, reviewed the settings and then modified my HTTPS settings manually.

The Webroot Plugin is only used when initially obtaining a certificate

=== Commands ===

===Commands===

To install the certbot software (prerequisites [https://certbot.eff.org/lets-encrypt/centosrhel7-apache here]) : yum install certbot python2-certbot-apache

To view existing certificates: certbot certificates

Line 35:

Line 40:

Simple Command Example (Automated): certbot certonly --webroot --webroot-path /var/www/html/WhatEverPath -d WhatEverWebSite

~~Both~~ of the ~~above examples will do~~ the ~~following;~~

=== Obtaining a Certificate ===

Once Certbot is installed, it's crazy simple to obtain a certificate. As noted above, type: certbot --apache (and then follow the instructions) Remember, this has to be done on the server that hosts the web site as Certbot and Let's Encrypt require a "challenge" to be answered correctly for a certificate to be obtained. The "challenge" question is a temporary file that certbot places in the directory of the web site (and deletes after the certificate is obtained) for the certificate issuing service to verify one is the owner of the web site. DNS is another method that can be used in the "challenge" process, but it is a bit more complex.

*Modifies the /etc/http/conf/httpd.conf file ~~by adding several items~~ with ~~several "Rewrites" to~~ the VirtualHost section ~~for~~ the web site;

=== Results of Automatic Configuration with Apache Module ===

The section of the /etc/http/conf/httpd.conf file with the directives (VirtualHost section, etc) specific to the web site the certificate applies to is modified by adding several items;<source lang="text">

RewriteEngine on

RewriteCond %{SERVER_NAME} =WhateEverWebSiteName [OR]

Line 44:

Line 50:

RewriteRule ^ <nowiki>https://%{SERVER_NAME}%{REQUEST_URI}</nowiki> [END,NE,R=permanent]

</source>

It also adds an Include Statement to the /etc/http/conf/httpd.conf file (which references another file): Include /etc/httpd/conf/httpd-le-ssl.conf

*an Include: Include /etc/httpd/conf/httpd-le-ssl.conf

The /etc/httpd/conf/httpd-le-ssl.conf File includes the following (with a couple of carriage return, line feeds added to make it look neater);<source lang="text">

~~<blockquote>Include /etc/httpd/conf/httpd-le-ssl.conf</blockquote>~~<source lang="text">

Line 70:

Line 76:

</IfModule>

</source>

No changes were made to the /etc/httpd/conf.d/ssl.conf file

No changes were made to the /etc/httpd/conf.d/ssl.conf file. This makes sense, because the ssl.conf file is itself referenced as an Include in the httpd.conf file.

~~Final Thought:~~ The CERTBOT application is thorough in the way it scans the httpd.conf and associated files. It ~~caught a couple of~~ missing quotation marks that HTTPD ~~let slide~~.

=== Other Thoughts ===

The CERTBOT application is very thorough in the way it scans the httpd.conf and associated files and is very adept at identifying syntax errors in a configuration file. It catches errors like missing quotation marks that HTTPD doesn't get bent out of shape about.

@@ Line 1: / Line 1: @@
-=== Introduction ===
+===Introduction===
 Certbot is a utility that can be used to obtain, renew, manage, etc. SSL Certificates from [https://letsencrypt.org/ Let's Encrypt].  For installation, refer to: https://certbot.eff.org/
-=== Environment Used to Test ===
+===Environment Used to Test===
 CentOS 7 with Apache 2.4
-=== Technical Information about Certbot ===
+=== Objective(s) ===
+To never have to buy an SSL certificate for a web site ever again.  And as if that weren't enough, to also never have to worry about renewing the certificated.  Sound too good to be true?  Well a group of people decided to do something that essentially makes that possible.
+===Technical Information about Certbot===
 Location of Certificates: /etc/letsencrypt
@@ Line 18: / Line 21: @@
 Certbot Binary File: /usr/bin/certbot
-=== Certbot Services ===
+===Certbot Services===
-certbot-renew.service: This isn't really a service in that it doesn't run all of the time.  It's more like an preconfigured set of commands to renew all certificates
+certbot-renew.service: This isn't really a service in that it doesn't run all of the time.  It's more like an pre-configured set of commands to renew all certificates that have been obtained via the certbot service.
 certbot-renew.timer: Since the "renew service" doesn't run continuously, it needs to be triggered on a periodic basis, which is done by this service (Instead of a CRON task).  By default in CentOS 7 it is not enabled by default.  Webmin seems to have issues setting it to start automatically, so use this command: systemctl enable certbot-renew.timer  The timing period can be changed via a configuration file or within Webmin.
-=== Apache and Webroot Plugins ===
+===Apache and Webroot Plugins===
 The Apache Plugin is used to configure Apache conf files.  My preference is to not utilize this functionality as it never seems to get the settings quite right.  Instead, I used it once on a test site, reviewed the settings and then modified my HTTPS settings manually.
 The Webroot Plugin is only used when initially obtaining a certificate
-=== Commands ===
+===Commands===
+To install the certbot software (prerequisites [https://certbot.eff.org/lets-encrypt/centosrhel7-apache here]) : yum install certbot python2-certbot-apache
 To view existing certificates: certbot certificates
@@ Line 35: / Line 40: @@
 Simple Command Example (Automated): certbot certonly --webroot --webroot-path /var/www/html/WhatEverPath -d WhatEverWebSite
-Both of the above examples will do the following;
+=== Obtaining a Certificate ===
+Once Certbot is installed, it's crazy simple to obtain a certificate.  As noted above, type: certbot --apache (and then follow the instructions)  Remember, this has to be done on the server that hosts the web site as Certbot and Let's Encrypt require a "challenge" to be answered correctly for a certificate to be obtained.  The "challenge" question is a temporary file that certbot places in the directory of the web site (and deletes after the certificate is obtained) for the certificate issuing service to verify one is the owner of the web site.  DNS is another method that can be used in the "challenge" process, but it is a bit more complex.
-*Modifies the /etc/http/conf/httpd.conf file by adding several items with several "Rewrites" to the VirtualHost section for the web site;
+=== Results of  Automatic Configuration with Apache Module ===
-<source lang="text">
+The section of the /etc/http/conf/httpd.conf file with the directives (VirtualHost section, etc) specific to the web site the certificate applies to is modified by adding several items;<source lang="text">
 RewriteEngine on
 RewriteCond %{SERVER_NAME} =WhateEverWebSiteName [OR]
@@ Line 44: / Line 50: @@
 RewriteRule ^ <nowiki>https://%{SERVER_NAME}%{REQUEST_URI}</nowiki> [END,NE,R=permanent]
 </source>
+It also adds an Include Statement to the /etc/http/conf/httpd.conf file (which references another file): Include /etc/httpd/conf/httpd-le-ssl.conf
-*an Include: Include /etc/httpd/conf/httpd-le-ssl.conf
+The /etc/httpd/conf/httpd-le-ssl.conf File includes the following (with a couple of carriage return, line feeds added to make it look neater);<source lang="text">
-<blockquote>Include /etc/httpd/conf/httpd-le-ssl.conf</blockquote><source lang="text">
 <IfModule mod_ssl.c>
@@ Line 70: / Line 76: @@
 </IfModule>
 </source>
-No changes were made to the /etc/httpd/conf.d/ssl.conf file
+No changes were made to the /etc/httpd/conf.d/ssl.conf file.  This makes sense, because the ssl.conf file is itself referenced as an Include in the httpd.conf file.
-Final Thought: The CERTBOT application is thorough in the way it scans the httpd.conf and associated files.  It caught a couple of missing quotation marks that HTTPD let slide.
+=== Other Thoughts ===
+The CERTBOT application is very thorough in the way it scans the httpd.conf and associated files and is very adept at identifying syntax errors in a configuration file.  It catches errors like missing quotation marks that HTTPD doesn't get bent out of shape about.