Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.

Install

Certbot is packaged in EPEL (Extra Packages for Enterprise Linux). To use Certbot, you must first enable the EPEL repository and enable EPEL optional channel.

If you are using ec2 you can enable optional channel by running:

$ yum -y install yum-utils
$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

After doing this, you can install Certbot by running:

$ sudo yum install certbot

Get Started

Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates.

Since your server architecture doesn’t yet support automatic installation you’ll have to use the certonly command to obtain your certificate.

$ sudo certbot certonly

This will allow you interactively select the plugin and options used to obtain your certificate. If you already have a webserver running, we recommend choosing the “webroot” plugin.

Alternatively, you can specify more information on the command line.

To obtain a cert using the “webroot” plugin, which can work with the webroot directory of any webserver software:

$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is

This command will obtain a single cert for example.comwww.example.comthing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.

To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com:

$ sudo certbot certonly --standalone -d example.com -d www.example.com

Automating renewal

Certbot can be configured to renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

If that appears to be working correctly, you can arrange for automatic renewal by adding a cronor systemd job which runs the following:

certbot renew

More detailed information and options about renewal can be found in the full documentation.

https://certbot.eff.org/#centosrhel7-other

Leave a Comment

Your email address will not be published. Required fields are marked *

Shares