# Setup SSL - It's Free

There's no reason to skip SSL anymore. These instructions will setup an auto-refreshing SSL certificate using the [Let's Encrypt](https://letsencrypt.org/) Certbot.

## Install Certbot

Certbot requires snap (ugh). This will setup snap and then install Certbot.

```shell
sudo dnf install mod_ssl mod_fcgid snapd
sudo systemctl enable --now snapd.socket
sudo snap install core; sudo snap refresh core
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
```

If the **snap install** command fails, just run it again. It will sometimes fail on the first attempt.

## Install SSL Cert

This assumes you have setup apache to serve your site over http first.

`sudo certbot --apache`

You can also add a specific list of domains to request certificates for. I prefer to do this:

`sudo certbot --apache -d www.mysite.com -d api.mysite.com`

Sometimes this step may fail the first time as well. Give it a a little time and then try again. It may fail because your DNS is still propagating.

## Setup Automatic Certificate Renewal

Open up the root crontab entry:

`sudo vim /etc/crontab`

Enter the following entry which will check your SSL certs twice daily and also make sure not to flood Let's Encrypt at the same time as everyone else.

```shell
# Twice daily check of Lets Encrypt SSL Cert
0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q
```

If you don't have python3 installed, you can do so with:

`sudo dnf install python3`

## General Notes

- Cloudflare can cause issues with the challenge so disable it (set it to passthrough on the DNS page) while issuing the cert if you run into issues.
- The certbot logs live in: /var/log/letsencrypt/letsencrypt.log

## Areas for Improvement

This guide works but there are some areas for improvement in the future to lower the extra dependencies.

TODO:

- Use an alternate client instead of Certbot. For example: [acme.sh](https://github.com/acmesh-official/acme.sh)
    - This is more lightweight and removes the dependency on snap (ugh).
- Use **$RANDOM** and **sleep** in crontab to remove python3 dependency