One of the most popular ways to secure a web site currently is using Let's Encrypt SSL certificates, which are also free.
These are actual certificates, not self-signed or snake oil, etc., so they are great for a low-budget security solution. This document will walk you through the process of installing and using Let's Encrypt certificates on a Rocky Linux web server.
To do the next steps, use ssh to log into your server. If your server's fully qualified DNS name was , then you would use:
ssh-lrootwww.myhost.com
Or, if you must access your server as an unprivileged user first. Use your username:
ssh-lusernamewww.myhost.com
And then:
sudo-s
You will need your sudo user's credentials in this case to gain access to the system as root.
Let's Encrypt uses a package called certbot which needs to be installed via the EPEL repositories. Add those first:
dnfinstallepel-release
Then install the appropriate packages, depending on whether you use Apache or Nginx as your web server. For Apache that is:
dnfinstallcertbotpython3-certbot-apache
For Nginx, just change out one package:
dnfinstallcertbotpython3-certbot-nginx
You can always install both server modules if necessary.
Note
An earlier version of this guide required the snap package version of certbot, which was necessary at the time. The RPM versions have been re-tested recently, and are working now. That said, Certbot strongly recommends the use of the snap install procedure. Rocky Linux 8 and 9 have certbot available in the EPEL, so we show that procedure here. If you would like to use the procedure recommended by Certbot, just follow that procedure instead.
Getting The Let's Encrypt Certificate for the Apache Server¶
There are two ways to retrieve your Let's Encrypt certificate, either using the command to modify the http configuration file for you, or to just retrieve the certificate. If you are using the procedure for a multi-site setup suggested for one or more sites in the procedure Apache Web Server Multi-Site Setup, then you will only want to retrieve your certificate.
We are assuming that you are using this procedure so we will only retrieve the certificate. If you are running a standalone web server using the default configuration, you can retrieve the certificate and modify the configuration file in one step using:
certbot--apache
That's really the easiest way to get things done. However, sometimes you want to take a more manual approach and grab the certificate. To retrieve the certificate only, use this command:
certbotcertonly--apache
Both commands will generate a set of prompts you need to answer. The first is to give an email address for important information:
The next is a request to share your email with the Electronic Frontier Foundation. Answer 'Y' or 'N' as is your preference:
----------------------------------------
Wouldyoubewilling,onceyourfirstcertificateissuccessfullyissued,to
shareyouremailaddresswiththeElectronicFrontierFoundation,afounding
partneroftheLet's Encrypt project and the non-profit organization thatdevelops Certbot? We'dliketosendyouemailaboutourworkencryptingtheweb,
EFFnews,campaigns,andwaystosupportdigitalfreedom.
----------------------------------------
(Y)es/(N)o:
The next prompt asks you which domain you want the certificate for. It should display a domain in the listing based on your running web server. If so, enter the number next to the domain for which you are getting the certificate. In this case there is only one option ('1'):
Applying the configuration file to our site is slightly different than if we were using a purchased SSL certificate from another provider (and if we didn't let certbot do it automatically).
A single PEM (Privacy Enhanced Mail) file includes the certificate and chain file. This is a common format for all certificate files now, so even though it has "Mail" in the reference, it is just a type of certificate file. To illustrate the configuration file, we will show it in it's entirety and then describe what is happening:
Here's what's happening above. You may want to review the Apache Web Server Multi-Site Setup to see the differences in the application of an SSL purchased from another provider and the Let's Encrypt certificate:
Even though port 80 (standard http) is listening, we are redirecting all traffic to port 443 (https)
SSLEngine on - simply says to use SSL
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 - says to use available protocols, except those found to have vulnerabilities. You should research periodically which protocols are currently acceptable for use.
SSLHonorCipherOrder on - this deals with the next line regarding the cipher suites, and says to deal with them in the order that they are given. This is another area where you should review the cipher suites that you want to include periodically
SSLCertificateFile - this is the PEM file, that contains the site certificate AND the intermediate certificate. We still need the 'SSLCertificateChainFile' line in our configuration, but it will simply specify the same PEM file again.
SSLCertificateKeyFile - the PEM file for the private key, generated with the certbot request.
SSLCertificateChainFile - the certificate from your certificate provider, often called the intermediate certificate, in this case exactly like the 'SSLCertificateFile' location above.
Once you have made all of your changes, simply restart httpd and if it starts test your site to make sure you now have a valid certificate file showing. If so, you are ready to move on to the next step: automation.
A quick note: using certbot with Nginx is pretty much the same as with Apache. Here's the short, short version of the guide:
Run this command to get started:
certbot--nginx
You will need to enter your email address and the site you want a certificate for. Assuming you have at least one site configured (with a domain name pointing at the server), you'll see a list like this:
1.yourwebsite.com
2.subdomain.yourwebsite.com
If you have multiple sites, press the number that corresponds to the site you want a certificate for.
The rest of the text is similar to what is above. The results will be a bit different. If you have an Nginx configuration file that looks like this:
After certbot gets through with it, it'll look like a bit this:
server{server*nameyourwebsite.com;listen443ssl;# managed by Certbotlisten[::]:443ssl;# managed by Certbotssl_certificate/etc/letsencrypt/live/yourwebsite.com/fullchain.pem;# managed by Certbotssl_certificate_key/etc/letsencrypt/live/yourwebsite.com/privkey.pem;# managed by Certbotinclude/etc/letsencrypt/options-ssl-nginx.conf;# managed by Certbotssl_dhparam/etc/letsencrypt/ssl-dhparams.pem;# managed by Certbotlocation/{root/usr/share/nginx/html;indexindex.htmlindex.htm;}}
server{if($host=yourwebsite.com){return301https://$host$request_uri;}# managed by Certbotlisten80;listen[::]:80;server_nameyourwebsite.com;return404;# managed by Certbot}
Depending on a couple of things (for example, if you're using Nginx as a reverse proxy), you may need to dive into the new configuration file to fix up a few things that certbot won't handle perfectly on its own.
Or write your own configuration file the hard way.
The beauty of installing certbot is that the Let's Encrypt certificate will be automatically renewed. There is no need to create a process to do this. We do need to test the renewal with:
certbotrenew--dry-run
When you run this command, you'll get a nice output showing the renewal process:
Let's Encrypt SSL certificates are yet another option for securing your web site with an SSL. Once installed, the system provides automatic renewal of certificates and will encrypt traffic to your web site.
It should be noted that Let's Encrypt certificates are used for standard DV (Domain Validation) certificates. They cannot be used for OV (Organization Validation) or EV (Extended Validation) certificates.
Author: Steven Spencer
Contributors: wsoyinka, Antoine Le Morvan, Ezequiel Bruni, Andrew Thiesen, Ganna Zhyrnova