Certbot on CentOS 7

Installing Certbot is an automated way to issue and renew Let's Encrypt certificates from your Linux box. This is done on CentOS 7 with NGINX.

Install EPEL if it is not already installed.

ROOT
# yum -y install epel-release

Install NGINX if it is not already installed.

ROOT
# yum -y install nginx

Install Certbot

ROOT
# yum -y install certbot python2-certbot-nginx

Now you can simply run:

ROOT
# certbot –nginx

And then walk through the configuration:

ROOT
[root@ext-proxy01 ~]# certbot –nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: bugzilla.X.net 2: trac.X.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 2 Obtaining a new certificate Performing the following challenges: http-01 challenge for trac.X.net Waiting for verification… Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/conf.d/proxy.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/proxy.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://trac.X.net

You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=trac.X.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:

 /etc/letsencrypt/live/trac.X.net/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/trac.X.net/privkey.pem
 Your cert will expire on 2019-11-20. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot again
 with the "certonly" option. To non-interactively renew *all* of
 your certificates, run "certbot renew"

- If you like Certbot, please consider supporting our work by:

 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

For automated cert renewal, add the following to the crontab:

echo “0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew” | sudo tee -a /etc/crontab > /dev/null

technology/linux/certbot_on_centos_7.txt · Last modified: 2019/08/22 17:06 by travis
CC Attribution-Noncommercial-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0