Setting up SSL with certbot with Apache and Fedora

This post describes how to set  up a SSL certificate with Certbot on Apache and Fedora. The guide primarily follows the guide on the certbot website however adds some additional information for if auto configuration fails.

Running Certbot on Fedora

On Fedora running certbot is relatively easy as it is packaged by the Fedora package managers. To install this you can use the dnf package management and run:

sudo dnf install certbot-apache

Once installed the SSL certificate can be set up using the following command.

sudo certbot --apache

During running certbot it will give options for which site you want to configure. During this period certbot will set up verification for your domain and configure the certificates. If all goes well certbot will automatically update your Apache config. Once this is done all you need to do is restart Apache and you will have your newly configured SSL certificate. Restarting Apache can be done with

sudo systemctl restart httpd

If automatically setting up apache failed at the bottom of the page I describe how to add the apache config without auto configuration.

Renewing your certificates

Certificates issued by certbot typically are only valid for 90 days so you need to renew them regularly. However once you have set up certbot for a site you only need to run the renew command certbot renew.

To ensure that nothing is wrong with the renew process you can run a “dry run” which tests renewing certificates without actually going through the process. This can be accomplished with certbot renew --dry-run.

Certbot recommends attempting to renew certificates twice a day at a random time. You can do this using a cron job.

If you log in as root, you can then run crontab -e to edit root’s crontab. From there you can add the following line to autorenew all certificates:

12 11,23 * * * certbot renew 2>&1 >> /root/certbot.cronlog

This says that every day at 11:12 and 23:12 certbot renew will be run. The logs from this command are stored in a file /root/certbot.cronlogand all output is stored there.

By running this twice a day your certificates are always kept up to date in the event that certbot cannot verify your site for a period of time.

Please remember if you are using this cronlog, make sure you change the time you run your crontab so that certbot

Configuring certbot manually

Depending on your Apache config certbot may not be able to configure the Apache config file correctly. If this occurs it will be able to generate the certificates but it will not update your Apache config. Here are steps you can follow to configure it.

Once certbot has generated your certificates you can find them at /etc/letsencrypt/live/{hostname}/ . In this location is a readme file that describes what each file can be used for as shown below:

This directory contains your keys and certificates.

`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

The main files we are interested in are the fullchain.pem and privkey.pem to use for Apache.

For Apache your virtual host command line needs to look a little bit like below. I recommend you add this to        /etc/httpd/conf.d/sites.conf with your other virtual hosts.

<VirtualHost {hostname}:443>
 DocumentRoot /var/www/{hostname}
 ServerName {hostname}:443
 SSLEngine on
 SSLCertificateFile "/etc/letsencrypt/live/{hostname}/fullchain.pem"
 SSLCertificateKeyFile "/etc/letsencrypt/live/{hostname}/privkey.pem"
 </VirtualHost>

Above {hostname}is the name of your host. The DocumentRootvalue is the location that the sites is served from. The key parts to change is the SSL lines to point to the location of the fullchain and privkey files.

After reading the documentation certbot recommends you do not move these files as this will be the location that new certificates are placed when updated. If these are moved then the new certificates certbot registers automatically will not be picked up by your apache install.

Hopefully this will help you encrypt your website with SSL from Lets Encrypt, if you have any questions feel free to ask in the comments.