Get SSL Certificates from Let’s Encrypt who provides Free SSL Certificates.

Refer to the details for Let’s Encrypt official site below.
⇒ https://letsencrypt.org/

The expiration date of a cert is 90 days.
However, Systemd Timer which checks and updates certificates is included in Certbot pckage and you don’t need to update manually.

 
 

[1] Install Certbot Client which is the tool to get certificates from Let’s Encrypt.

 
   

 

root@barneo:~# 

apt -y install certbot

 

[2] Get certificates.
It needs Web server like Apache httpd or Nginx must be runing on the server you work.
If no Web server is running, skip this section and Refer to [3] section.
Furthermore, it needs that it’s possible to access from the Internet to your working server on port 80 because of verification from Let’s Encrypt.

 

# for the option [–webroot], use a directory under the webroot on your server as a working temp
# -w [document root] -d [FQDN you’d like to get certs]
# FQDN (Fully Qualified Domain Name) : Hostname.Domainname

# if you’d like to get certs for more than 2 FQDNs, specify all like below
# ex : if get [barisdemirtas.com.tr] and [www.barisdemirtas.com.tr]
#
[-d barisdemirtas.com.tr -d barneo.barisdemirtas.com.tr]

root@barneo:~# 

certbot certonly –webroot -w /var/www/html -d barisdemirtas.com.tr

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Enter email address (used for urgent renewal and security notices)

# for only initial using, register your email address and agree to terms of use

# specify valid email address

 (Enter ‘c’ to cancel): [email protected]

 

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-Agus-20-2022.pdf. You must

agree in order to register with the ACME server. Do you agree?

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

# agree to the terms of use

(Y)es/(N)o: A

 

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Would you be willing, once your first certificate is successfully issued, to

share your email address with the Electronic Frontier Foundation, a founding

partner of the Let’s Encrypt project and the non-profit organization that

develops Certbot? We’d like to send you email about our work encrypting the web,

EFF news, campaigns, and ways to support digital freedom.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

(Y)es/(N)o: A

Account registered.

Requesting a certificate for barisdemirtas.com.tr

 

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/dns.barisdemirtas.com.tr/fullchain.pem

Key is saved at:         /etc/letsencrypt/live/dns.barisdemirtas.com.tr/privkey.pem

This certificate expires on 2022-11-20.

These files will be updated when the certificate renews.

Certbot has set up a scheduled task to automatically renew this certificate in the background.

 

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

If you like Certbot, please consider supporting our work by:

 * Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate

 * Donating to EFF:                    https://eff.org/donate-le

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

 

# success if [Successfully received certificate] is shown

# certs are created under the [/etc/letsencrypt/live/(FQDN)/] directory

 

# cert.pem       SSL Server cert(includes public-key)

# chain.pem      intermediate certificate

# fullchain.pem  combined file cert.pem and chain.pem

# privkey.pem    private-key file

 

[3] If no Web Server is running on your working server, it’s possbile to get certs with using Certbot’s Web Server feature. Anyway, it needs that it’s possible to access from the Internet to your working server on port 80 because of verification from Let’s Encrypt.

 

# for the option [–standalone], use Certbot’s Web Server feature
# -d [FQDN you’d like to get certs]
# FQDN (Fully Qualified Domain Name) : Hostname.Domainname

# if you’d like to get certs for more than 2 FQDNs, specify all like below
# ex : if get [barisdemirtas.com.tr] and [www.barisdemirtas.com.tr]
specify [-d barisdemirtas.com.tr -d www.barisdemirtas.com.tr]

root@barneo:~# 

certbot certonly –standalone -d rx-9.barisdemirtas.com.tr

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Requesting a certificate for barneo.barisdemirtas.com.tr

 

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/rx-9.barisdemirtas.com.tr/fullchain.pem

Key is saved at:         /etc/letsencrypt/live/rx-9.barisdemirtas.com.tr/privkey.pem

This certificate expires on 2022-11-20.

These files will be updated when the certificate renews.

Certbot has set up a scheduled task to automatically renew this certificate in the background.

 

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

If you like Certbot, please consider supporting our work by:

 * Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate

 * Donating to EFF:                    https://eff.org/donate-le

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

 

[4] For Updating existing certs manually, use [renew] subcommand.
To run [renew] subcommand, all certs which have less than 30 days expiration are updated.
If you’d like to update certs which has more than 30 days expiration, add [–force-renew] option.
However, [certbot] package has systemd timer, so it does not need to run it manually.

 

# systemd timer script is included in Certbot package


root@barneo:~# 

systemctl status certbot.timer

*  certbot.timer – Run certbot twice daily

     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset:>

     Active: active (waiting) since Tue 2022-08-20 01:16:03 UTC; 12min ago

    Trigger: Tue 2022-08-20 18:17:15 UTC; 16h left

   Triggers:  certbot.service

 

root@barneo:~# 

systemctl list-timers certbot.timer –no-pager

NEXT                        LEFT     LAST PASSED UNIT          ACTIVATES

Tue 2022-04-26 18:17:15 UTC 16h left n/a  n/a    certbot.timer certbot.service

 

1 timers listed.

Pass –all to see loaded but inactive timers, too.

 

# [renew] is run 2 times every day like follows by default


root@barneo:~# 

systemctl cat certbot.timer

# /lib/systemd/system/certbot.timer

[Unit]

Description=Run certbot twice daily

 

[Timer]

OnCalendar=*-*-* 00,12:00:00

RandomizedDelaySec=43200

Persistent=true

 

[Install]

WantedBy=timers.target

 

root@barneo:~# 

systemctl cat certbot.service

# /lib/systemd/system/certbot.service

[Unit]

Description=Certbot

Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html

Documentation=https://certbot.eff.org/docs

[Service]

Type=oneshot

ExecStart=/usr/bin/certbot -q renew

PrivateTmp=true

 

# for manual update, do like follows


root@barneo:~# 

certbot renew

 

[5] If you’d like to convert certificates to PKCS12 (PFX) format for Windows, do like follows.

 

root@barneo:~# 

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out dlp_for_iis.pfx

Enter Export Password:     # set any export password

Verifying – Enter Export Password:

 

 

Barış Demirtaş

 

Ağustos 2022

No responses yet

Bir yanıt yazın

Translate »