Difference between revisions of "Setup SSL"

From rbachwiki
Jump to navigation Jump to search
 
Line 5: Line 5:
==Installing Snapd==
==Installing Snapd==


'''If snapd is not installed, install it now.'''
<p class="subhead"">If snapd is not installed, install it now.</p>


  sudo apt update
  sudo apt update

Latest revision as of 19:27, 31 August 2022

Linode Doc to setup SSL Link to Linode Doc

Certbot website

Installing Snapd

If snapd is not installed, install it now.

sudo apt update
sudo apt install snapd

Install the core snap.

sudo snap install core
sudo snap refresh core

Installing Certbot

The next step is to install Certbot using the snap command.

Remove any previously installed certbot packages to avoid conflicts with the new Snap package.

sudo apt remove certbot

Use Snap to install Certbot.

sudo snap install --classic certbot

Configure a symbolic link to the Certbot directory using the ln command.

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Requesting a TLS/SSL Certificate Using Certbot

During the certificate granting process, Certbot asks a series of questions about the domain so it can properly request the certificate. You must agree to the terms of service and provide a valid administrative email address. Depending upon the server configuration, the messages displayed by Certbot might differ somewhat from what is shown here.

Run Certbot to start the certificate request. When Certbot runs, it requests and installs certificate file along with a private key file. When used with the Apache plugin (--apache), Certbot also automatically edits the configuration files for Apache, which dramatically simplifies configuring HTTPS for your web server. If you prefer to manually adjust the configuration files, you can run Certbot using the certonly command. *Request a certfifcate and automatically configure it on Apache (recommended):

sudo certbot --apache


During the installation process, Certbot will prompt you for some basic information including your email address and domain name.

Enter email address. The first prompt is to request an email address where Certbot can send urgent notices about the domain or registration. This should be the address of the web server administrator.

Accept terms of service. Certbot next asks you to agree to the Let’s Encrypt terms of service. Use the link in the output to download the PDF file and review the document. If you agree with the terms, enter Y. Entering N terminates the certificate request.

Optionally subscribe to mailing list. Certbot asks if you want to subscribe to the EFF mailing list. You can answer either Y or N without affecting the rest of the installation.

Enter domain name(s). Certbot now requests a domain name for the certificate. If there is a virtual host file for the domain, Certbot displays the names of the eligible domains. Select the numbers corresponding to the domains you are requesting certificates for, separated by spaces. If the domain doesn’t appear, you can enter the name for each domain without the http or https prefix. For each domain name, you should request separate certificates with and without the www prefix. If you have more than one domain to certify, separate the names with either a space or a comma.

www.example.com example.com

Note Certbot displays the names of domains configured in the virtual host files within Apache. Select the numbers corresponding to the domains you are requesting certificates for, separated by spaces.

Certbot then communicates with Let’s Encrypt to request the certificate(s) and perform any necessary challenges as defined in the ACME standard (see Challenge Types). In most cases, ownership can be proven through the HTTP challenge, which automatically adds a file on your web server. If you wish to change the challenge type or perform challenge manually, see the Manual section in the Certbot documentation.

If the operation is successful, Certbot confirms the certificates are enabled and outputs the details. It also displays some information about the directories where the certificates and key chains are stored, along with the expiration date. Certificates typically expire in 90 days.

Testing the HTTPS Connection

The next step is to confirm the website is properly configured to use your new certificate and is accessible over HTTPS. To do this, navigate to your website on a web browser, making sure to specify the https:// protocol when entering your URL. If a lock is visible to the left of the domain name on the browser’s address bar, the certificate is likely working as expected. If the certificate is not installed properly, the browser displays a warning page.

You can also enter your domain into the SSL Server Test by Qualys SSL Labs to verify that the TLS/SSL certificate has been properly installed and configured.


Renewing a TLS/SSL Certificate Using Certbot

Upon installation, Certbot is configured to renew any certificates automatically. It is not necessary to manually request an updated certificate or run Certbot again unless the site configuration changes. However, Certbot makes it possible to test the auto-renew mechanism or to forcibly update all certificates.

Test Automated Renewals

To confirm Certbot is configured to renew its certificates automatically, use certbot renew along with the dry-run flag.

sudo certbot renew --dry-run

Certbot inspects the certificates and confirms they are not due to be renewed, but simulates the process anyway. It displays details regarding whether the renewal would have been successful.

Add additional domains

This will create a new certificate for the domains you are adding

 sudo certbot --apache

Changing a Certificate’s Domains

The --cert-name flag can also be used to modify the domains a certificate contains, by specifying new domains using the -d or --domains flag. If certificate example.com previously contained example.com and www.example.com, it can be modified to only contain example.com by specifying only example.com with the -d or --domains flag. Example:

certbot certonly --cert-name example.com -d example.com

The same format can be used to expand the set of domains a certificate contains, or to replace that set entirely:

certbot certonly --cert-name example.com -d example.org,www.example.org

Linode