Installing Certbot for HTTPS

A SSL certificate is necessary for providing https web service. There are many commercial vendors who can provide SSL certificates. Certbot is a free tool developed by LetsEncrypt for providing, installing, and updating SSL/TLS certificates.

Pre-Requisites

A SSL certificate is issued for domain addresses which maps to your web server. Thus, the following are required for obtaining and installing a SSL certificate:

To get a static ip address, you can either request one from your IT department (for a local server) or get one from your cloud vendor (for a cloud-based server). Once you have a server with a static IP address, you can either ask your IT department to associate a domain name with it, or you can register a domain name and point it to your static IP address using any one of the many DNS vendors.

Associating a Static IP Address with a Cloud Virtual Machine

Google Cloud Platform: After having created your virtual machine on GCP, click on the name of the server in the GCP portal. Then click <edit>. Scroll down to Network Interfaces. Click on the box that says something along the lines of <nic0:default default>. In the extended menu click on the External Ip dropdown and select <Create IP Address>. Give it a name and click <Reserve>. Your server should now have a static IP number. Make a note of what it is so that you can point your DNS record to it.

To delete the static IP go to the External IP Addresses page, select the IP address, click "Release Static Address", and then "Delete".

Amazon Web Service: Consult AWS documentation.

Azure: Consult Azure documentation.

General Strategy

After having obtained a static ip address which is pointed to by a DNS name for your webserver, the process of using Certbot to obtain and use a SSL certificate is:

  1. Install Certbot on your server
  2. Use Certbot to download a SSL/TLS certificate
  3. Install the certificate
  4. Configure httpd/apache
  5. Setup automatic renewal of your certificate

Installing Certbot Using SITC

If using the Server In The Cloud (SITC) script for WebMO, installing Certbot is fully automated.

  1. Create a virtual machine in the cloud with a static IP address
  2. Use the sitc script to install WebMO and desired engines
  3. Obtain a Domain Name for your static IP address
  4. Run the command:
    $ ./sitc/install --enable-certbot="<DN>"
    where <DN> is the registered Domain Name, eg, webmo.university.edu.

Alternatively, Certbot can be installed manually for different Linux distributions with the following instructions.

Centos 7 and 8

  1. Become Sudoer:
    $ sudo su -
  2. Install OpenSSL and enable the Epel repository:
    # yum -y install openssl mod_ssl
    # yum -y install epel-release
  3. Install Certbot:
    # yum -y install certbot
  4. Export your domain name for use in subsequent commands:
    # export MY_DN="domain.com"
    where domain.com is your domain that you have pointed at this server
  5. Get a certificate:
    # certbot certonly --webroot --webroot-path=/var/www/html -d $MY_DN --register-unsafely-without-email --agree-tos
  6. Install the certificate:
    # sed -i.orig "s&^SSLCertificateFile.*&SSLCertificateFile /etc/letsencrypt/live/$MY_DN/cert.pem&g"
    # sed -i "s&^SSLCertificateKeyFile.*&SSLCertificateKeyFile /etc/letsencrypt/live/$MY_DN/privkey.pem&g" /etc/httpd/conf.d/ssl.conf
    # sed -i "s&^#SSLCertificateChainFile.*&SSLCertificateChainFile /etc/letsencrypt/live/$MY_DN/chain.pem&g" /etc/httpd/conf.d/ssl.conf
  7. Configure httpd:
    Add the following code to the end of the file /etc/httpd/conf/httpd.conf where domain.com is your domain name
    <VirtualHost *:80>
    Redirect permanent / https://domain.com/
    </VirtualHost>
  8. Restart httpd:
    # systemctl restart httpd

Centos 6

  1. Become Sudoer:
    $ sudo su -
  2. Install OpenSSL and enable the Epel repository:
    # yum -y install openssl mod_ssl
    # yum -y install epel-release
  3. Install Certbot:
    # wget https://dl.eff.org/certbot-auto
    # mv certbot-auto /usr/local/bin/certbot
    # chown root /usr/local/bin/certbot
    # chmod 0755 /usr/local/bin/certbot
  4. Export your domain name for use in subsequent commands:
    # export MY_DN="domain.com"
    where domain.com is your domain that you have pointed at this server
  5. Get a certificate:
    # certbot -n certonly --webroot --webroot-path=/var/www/html -d $MY_DN --register-unsafely-without-email --agree-tos
  6. Install the certificate:
    # sed -i.orig "s&^SSLCertificateFile.*&SSLCertificateFile /etc/letsencrypt/live/$MY_DN/cert.pem&g"
    # sed -i "s&^SSLCertificateKeyFile.*&SSLCertificateKeyFile /etc/letsencrypt/live/$MY_DN/privkey.pem&g" /etc/httpd/conf.d/ssl.conf
    # sed -i "s&^#SSLCertificateChainFile.*&SSLCertificateChainFile /etc/letsencrypt/live/$MY_DN/chain.pem&g" /etc/httpd/conf.d/ssl.conf
  7. Configure httpd:
    Add the following code to the end of the file /etc/httpd/conf/httpd.conf where domain.com is your domain name
    <VirtualHost *:80>
    Redirect permanent / https://domain.com/
    </VirtualHost>
  8. Restart httpd:
    # sudo service httpd restart

Debian 9 and 10

  1. Become Sudoer:
    $ sudo su -
  2. Install Certbot:
    # apt-get install -y certbot
  3. Export your domain name for use in subsequent commands:
    # export MY_DN="domain.com"
    where domain.com is your domain that you have pointed at this server
  4. Get a certificate:
    # certbot certonly --webroot --webroot-path=/var/www/html -d $MY_DN --register-unsafely-without-email --agree-tos
  5. Install certificate:
    # sed -i.orig "s&^[\t\s]*SSLCertificateFile.*&SSLCertificateFile /etc/letsencrypt/live/$MY_DN/cert.pem&g" /etc/apache2/sites-enabled/default-ssl.conf
    # sed -i "s&^[\t\s]*SSLCertificateKeyFile.*&SSLCertificateKeyFile /etc/letsencrypt/live/$MY_DN/privkey.pem&g" /etc/apache2/sites-enabled/default-ssl.conf
    # sed -i "s&^[\t\s]*#SSLCertificateChainFile.*&SSLCertificateChainFile /etc/letsencrypt/live/$MY_DN/chain.pem&g" /etc/apache2/sites-enabled/default-ssl.conf
  6. Configure apache:
    Add the following code to the end of the file /etc/apache2/apache2.conf where domain.com is your domain name
    <VirtualHost *:80>
    Redirect permanent / https://domain.com/
    </VirtualHost>
  7. Restart apache:
    # systemctl restart apache2

Ubuntu 16, 18, and 20

  1. Become Sudoer:
    $ sudo su -
  2. Enable the universe repo:
    # apt-get update
    # apt-get install -y software-properties-common
    # add-apt-repository -y universe
  3. Install Certbot:
    # add-apt-repository -y ppa:certbot/certbot (only for 18.04 and 16.04)
    # apt-get -y update
    # apt-get install -y certbot
  4. Export your domain name for use in subsequent commands:
    # export MY_DN="domain.com"
    where domain.com is your domain that you have pointed at this server
  5. Get a certificate:
    # certbot certonly --webroot --webroot-path=/var/www/html -d $MY_DN --register-unsafely-without-email --agree-tos
  6. Install certificate:
    # sed -i.orig "s&^[\t\s]*SSLCertificateFile.*&SSLCertificateFile /etc/letsencrypt/live/$MY_DN/cert.pem&g" /etc/apache2/sites-enabled/default-ssl.conf
    # sed -i "s&^[\t\s]*SSLCertificateKeyFile.*&SSLCertificateKeyFile /etc/letsencrypt/live/$MY_DN/privkey.pem&g" /etc/apache2/sites-enabled/default-ssl.conf
    # sed -i "s&^[\t\s]*#SSLCertificateChainFile.*&SSLCertificateChainFile /etc/letsencrypt/live/$MY_DN/chain.pem&g" /etc/apache2/sites-enabled/default-ssl.conf
  7. Configure apache:
    Add the following code to the end of the file /etc/apache2/apache2.conf where domain.com is your domain name
    <VirtualHost *:80>
    Redirect permanent / https://domain.com/
    </VirtualHost>
  8. Restart apache:
    # systemctl restart apache2

Renewing a Certificate

You must renew your certificate at least once every three months. In order to do so, run the command:
# certbot renew

You can automate this process with a cron job by adding the following line to /etc/crontab:
0 0 1 */2 * /path/to/certbot renew
where one can find the certbot path with:
# which certbot