My experience with certbot on CentOS 8
I finally bit the bullet and set up Let's Encrypt for myself. The certbot instructions say to use a snap, but that is a hard negative for my environment. Thankfully, CentOS 8 has the certbot package from epel! (And don't hate on me! I had installed CentOS 8 about 2 weeks before the fateful news.) So I installed certbot, which pulls in some python dependencies.
sudo yum install certbot
Dependencies resolved.
======================================================================================================================
Package Architecture Version Repository Size
======================================================================================================================
Installing:
certbot noarch 1.10.1-1.el8 epel 49 k
Installing dependencies:
python3-acme noarch 1.10.1-1.el8 epel 88 k
python3-certbot noarch 1.10.1-1.el8 epel 387 k
python3-configargparse noarch 0.14.0-6.el8 epel 36 k
python3-josepy noarch 1.2.0-5.el8 epel 95 k
python3-ndg_httpsclient noarch 0.5.1-4.el8 epel 53 k
python3-parsedatetime noarch 2.5-1.el8 epel 79 k
python3-pyOpenSSL noarch 18.0.0-1.el8 appstream 103 k
python3-pyrfc3339 noarch 1.1-1.el8 epel 19 k
python3-requests-toolbelt noarch 0.9.1-4.el8 epel 91 k
python3-zope-component noarch 4.3.0-8.el8 epel 313 k
python3-zope-event noarch 4.2.0-12.el8 epel 210 k
python3-zope-interface x86_64 4.6.0-1.el8 epel 158 k
Transaction Summary
======================================================================================================================
Install 13 Packages
I have experience with apache httpd configs, so I wasn't interested in letting certbot do anything to my configs. So I opted for the webroot challenge mechanism, which just adds the challenge files to underneath your webroot location. Which, I learned, takes a small amount of manual work. Not a biggie, but worth knowing to simplify the process.
cd /var/www
mkdir -p .well-known/acme-challenge
restorecon -Rvn .well-known
I suppose it might be a good that even with sudo, certbot does not make directories or restore SELinux contexts. But now I was ready to run for real:
sudo certbot certonly --webroot -w /var/www -d www.example.com
It was fun to watch my apache logs and see the various IP addresses check my acme-challenge responses. It only took 7 seconds before the process was complete and I was issued my certificate!
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.example.com/privkey.pem
And now I can configure my httpd confs the way I want to, instead of letting somebody else fiddle with them. And all this because my friends don't know how to trust my root CA cert, let alone actually want to do that.
Operations
I set up my renewal with a shell script and cron.
References
Syntax of automatic command: https://community.letsencrypt.org/t/certonly- enter-a-webroot/27442 https://certbot.eff.org/lets-encrypt/centosrhel7-apache
Comments