Setup SSL - It's Free
There's no reason to skip SSL anymore. These instructions will setup an auto-refreshing SSL certificate using the Let's Encrypt Certbot.
Certbot requires snap (ugh). This will setup snap and then install Certbot.
sudo dnf install mod_ssl mod_fcgid snapd sudo systemctl enable --now snapd.socket sudo snap install core; sudo snap refresh core sudo ln -s /var/lib/snapd/snap /snap sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot
If the snap install command fails, just run it again. It will sometimes fail on the first attempt.
Install SSL Cert
This assumes you have setup apache to serve your site over http first.
sudo certbot --apache
You can also add a specific list of domains to request certificates for. I prefer to do this:
sudo certbot --apache -d www.mysite.com -d api.mysite.com
Sometimes this step may fail the first time as well. Give it a a little time and then try again. It may fail because your DNS is still propagating.
Setup Automatic Certificate Renewal
Open up the root crontab entry:
sudo vim /etc/crontab
Enter the following entry which will check your SSL certs twice daily and also make sure not to flood Let's Encrypt at the same time as everyone else.
# Twice daily check of Lets Encrypt SSL Cert 0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q
If you don't have python3 installed, you can do so with:
sudo dnf install python3
- Cloudflare can cause issues with the challenge so disable it (set it to passthrough on the DNS page) while issuing the cert if you run into issues.
- The certbot logs live in: /var/log/letsencrypt/letsencrypt.log
Areas for Improvement
This guide works but there are some areas for improvement in the future to lower the extra dependencies.
- Use an alternate client instead of Certbot. For example: acme.sh
- This is more lightweight and removes the dependency on snap (ugh).
- Use $RANDOM and sleep in crontab to remove python3 dependency