Skip to main content

Setup SSL - It's Free

There's no reason to skip SSL anymore. These instructions will setup an auto-refreshing SSL certificate using the Let's Encrypt Certbot.


Install Certbot

Certbot requires snap (ugh). This will setup snap and then install Certbot.

sudo dnf install mod_ssl mod_fcgid snapd
sudo systemctl enable --now snapd.socket
sudo snap install core; sudo snap refresh core
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

If the snap install command fails, just run it again. It will sometimes fail on the first attempt.


Install SSL Cert

This assumes you have setup apache to serve your site over http first.

sudo certbot --apache

You can also add a specific list of domains to request certificates for. I prefer to do this:

sudo certbot --apache -d www.mysite.com -d api.mysite.com

Sometimes this step may fail the first time as well. Give it a a little time and then try again. It may fail because your DNS is still propagating.


Setup Automatic Certificate Renewal

Open up the root crontab entry:

sudo vim /etc/crontab

Enter the following entry which will check your SSL certs twice daily and also make sure not to flood Let's Encrypt at the same time as everyone else.

# Twice daily check of Lets Encrypt SSL Cert
0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q

If you don't have python3 installed, you can do so with:

sudo dnf install python3


General Notes

  • Cloudflare can cause issues with the challenge so disable it (set it to passthrough on the DNS page) while issuing the cert if you run into issues.
  • The certbot logs live in: /var/log/letsencrypt/letsencrypt.log

 

Areas for Improvement

This guide works but there are some areas for improvement in the future to lower the extra dependencies.

TODO:

  • Use an alternate client instead of Certbot. For example: acme.sh
    • This is more lightweight and removes the dependency on snap (ugh).
  • Use $RANDOM and sleep in crontab to remove python3 dependency
No Comments
Back to top