{"id":490,"date":"2017-08-16T13:35:03","date_gmt":"2017-08-16T12:35:03","guid":{"rendered":"http:\/\/chewett.co.uk\/blog\/?p=490"},"modified":"2017-08-12T21:15:37","modified_gmt":"2017-08-12T20:15:37","slug":"setting-ssl-certbot-apache-fedora","status":"publish","type":"post","link":"https:\/\/chewett.co.uk\/blog\/490\/setting-ssl-certbot-apache-fedora\/","title":{"rendered":"Setting up SSL with certbot with Apache and Fedora"},"content":{"rendered":"

This post describes how to set \u00a0up a SSL certificate with Certbot on Apache and Fedora. The guide primarily follows the guide on the certbot website<\/a> however adds some additional information for if auto configuration fails.<\/p>\n

<\/p>\n

Running Certbot on Fedora<\/h2>\n

On Fedora running certbot is relatively easy as it is packaged by the Fedora package managers. To install this you can use the dnf package management and run:<\/p>\n

sudo dnf install certbot-apache<\/pre>\n
Once installed the SSL certificate can be set up using the following command.<\/p>\n
sudo certbot --apache<\/pre>\n
During running certbot it will give options for which site you want to configure. During this period certbot will set up verification for your domain and configure the certificates. If all goes well certbot will automatically update your Apache config. Once this is done all you need to do is restart Apache and you will have your newly configured SSL certificate. Restarting Apache can be done with<\/p>\n
sudo systemctl restart httpd<\/pre>\n
If automatically setting up apache failed at the bottom of the page I describe how to add the apache config without auto configuration.<\/p>\n
Renewing your certificates<\/h2>\n
Certificates issued by certbot typically are only valid for 90 days so you need to renew them regularly. However once you have set up certbot for a site you only need to run the renew command certbot renew<\/code>.<\/p>\n
To ensure that nothing is wrong with the renew process you can run a “dry run” which tests renewing certificates without actually going through the process. This can be accomplished with certbot renew --dry-run<\/code>.<\/p>\n
Certbot recommends attempting to renew certificates twice a day at a random time. You can do this using a cron job.<\/p>\n
If you log in as root, you can then run crontab -e<\/code>\u00a0to edit root’s crontab. From there you can add the following line to autorenew all certificates:<\/p>\n
12 11,23 * * * certbot renew 2>&1 >> \/root\/certbot.cronlog<\/pre>\n
This says that every day at 11:12 and 23:12 certbot renew<\/code> will be run. The logs from this command are stored in a file \/root\/certbot.cronlog<\/code>and all output is stored there.<\/p>\n
By running this twice a day your certificates are always kept up to date in the event that certbot cannot verify your site for a period of time.<\/p>\n
Please remember if you are using this cronlog, make sure you change the time you run your crontab so that certbot<\/p>\n
Configuring certbot manually<\/h2>\n
Depending on your Apache config certbot may not be able to configure the Apache config file correctly. If this occurs it will be able to generate the certificates but it will not update your Apache config. Here are steps you can follow to configure it.<\/p>\n
Once certbot has generated your certificates you can find them at \/etc\/letsencrypt\/live\/{hostname}\/<\/code> . In this location is a readme file that describes what each file can be used for as shown below:<\/p>\n
This directory contains your keys and certificates.\r\n\r\n`privkey.pem` : the private key for your certificate.\r\n`fullchain.pem`: the certificate file used in most server software.\r\n`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.\r\n`cert.pem` : will break many server configurations, and should not be used\r\nwithout reading further documentation (see link below).\r\n\r\nWe recommend not moving these files. For more information, see the Certbot\r\nUser Guide at https:\/\/certbot.eff.org\/docs\/using.html#where-are-my-certificates.<\/pre>\n
The main files we are interested in are the fullchain.pem<\/code> and privkey.pem<\/code> to use for Apache.<\/p>\n
For Apache your virtual host command line needs to look a little bit like below. I recommend you add this to \u00a0 \u00a0 \u00a0 \u00a0\/etc\/httpd\/conf.d\/sites.conf<\/code>\u00a0with your other virtual hosts.<\/p>\n
<VirtualHost {hostname}:443>\r\n DocumentRoot \/var\/www\/{hostname}\r\n ServerName {hostname}:443\r\n SSLEngine on\r\n SSLCertificateFile \"\/etc\/letsencrypt\/live\/{hostname}\/fullchain.pem\"\r\n SSLCertificateKeyFile \"\/etc\/letsencrypt\/live\/{hostname}\/privkey.pem\"\r\n <\/VirtualHost><\/pre>\n
Above\u00a0{hostname}<\/code>is the name of your host. The DocumentRoot<\/code>value is the location that the sites is served from. The key parts to change is the SSL lines to point to the location of the fullchain and privkey files.<\/p>\n
After reading the documentation certbot recommends you do not move these files as this will be the location that new certificates are placed when updated. If these are moved then the new certificates certbot registers automatically will not be picked up by your apache install.<\/p>\n
Hopefully this will help you encrypt your website with SSL from Lets Encrypt, if you have any questions feel free to ask in the comments.<\/p>\n","protected":false},"excerpt":{"rendered":"
This post describes how to set \u00a0up a SSL certificate with Certbot on Apache and Fedora. The guide primarily follows the guide on the certbot website however adds some additional information for if auto configuration fails.<\/p>\n","protected":false},"author":1,"featured_media":556,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5],"tags":[68,107,41,113,112],"class_list":["post-490","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-informational","tag-apache","tag-autossl","tag-fedora","tag-free-ssl-certificate","tag-ssl-certificate"],"wppr_data":{"cwp_meta_box_check":"No"},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2017\/08\/ssl_with_apache_fedora_and_certbot.jpg?fit=800%2C800&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p2toWX-7U","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":982,"url":"https:\/\/chewett.co.uk\/blog\/982\/fixing-letsencrypt-validation-failed-selected-authenticator-not-support-combination-challenges\/","url_meta":{"origin":490,"position":0},"title":"Fixing Letsencrypt validation failed with selected authenticator does not support any combination of challenges","author":"Chewett","date":"January 31, 2018","format":false,"excerpt":"This post goes through the steps of fixing Letsencrypt with the issue \"Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.\". Why Letsencrypt fails to validate domains When trying to set up a new https website with Letsencrypt you may get\u2026","rel":"","context":"In "Fixes"","block_context":{"text":"Fixes","link":"https:\/\/chewett.co.uk\/blog\/category\/fixes\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/01\/fixing_letsencrypt_fedora.jpg?fit=800%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/01\/fixing_letsencrypt_fedora.jpg?fit=800%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/01\/fixing_letsencrypt_fedora.jpg?fit=800%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/01\/fixing_letsencrypt_fedora.jpg?fit=800%2C800&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":297,"url":"https:\/\/chewett.co.uk\/blog\/297\/lets-encrypt-auto-ssl-web-host-manager-cpanel-server\/","url_meta":{"origin":490,"position":1},"title":"Let’s Encrypt Auto SSL on Web Host Manager CPanel Server","author":"Chewett","date":"May 12, 2017","format":false,"excerpt":"This blog post describes how to set up free SSL certificates on a Web Host Manager CPanel server. This requires root access to the server, if you don't have access to this then you must ask your service provider to install it for you. What is Let's Encrypt? Let's Encrypt\u2026","rel":"","context":"In "Informational"","block_context":{"text":"Informational","link":"https:\/\/chewett.co.uk\/blog\/category\/informational\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1449,"url":"https:\/\/chewett.co.uk\/blog\/1449\/installing-a-root-certificate-authority-on-fedora-28\/","url_meta":{"origin":490,"position":2},"title":"Installing a Root Certificate Authority on Fedora 28","author":"Chewett","date":"August 15, 2018","format":false,"excerpt":"This post documents the process of installing a Root Certification Authority on Fedora 28. Adding a Root Certificate Authority to Fedora 28 First you must obtain the PEM file for your root certificate. This will either need to be created by you or will be given to you by your\u2026","rel":"","context":"In "Informational"","block_context":{"text":"Informational","link":"https:\/\/chewett.co.uk\/blog\/category\/informational\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/08\/installing_root_ca_fedora28.jpg?fit=800%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/08\/installing_root_ca_fedora28.jpg?fit=800%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/08\/installing_root_ca_fedora28.jpg?fit=800%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/08\/installing_root_ca_fedora28.jpg?fit=800%2C800&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":841,"url":"https:\/\/chewett.co.uk\/blog\/841\/installing-root-certificate-authority-fedora-26\/","url_meta":{"origin":490,"position":3},"title":"Installing a Root Certificate Authority on Fedora 26","author":"Chewett","date":"November 11, 2017","format":false,"excerpt":"This post documents the process of installing a Root Certification Authority on Fedora 26. Adding a Root Certification Authority to Fedora 26 First you must obtain the PEM file for your root certificate. This will either need to be created by you or will be given to you by your\u2026","rel":"","context":"In "Informational"","block_context":{"text":"Informational","link":"https:\/\/chewett.co.uk\/blog\/category\/informational\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2017\/11\/installing_root_ca_fedora.jpg?fit=800%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2017\/11\/installing_root_ca_fedora.jpg?fit=800%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2017\/11\/installing_root_ca_fedora.jpg?fit=800%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2017\/11\/installing_root_ca_fedora.jpg?fit=800%2C800&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1830,"url":"https:\/\/chewett.co.uk\/blog\/1830\/installing-linode-longview-on-fedora-28\/","url_meta":{"origin":490,"position":4},"title":"Installing Linode Longview on Fedora 28","author":"Chewett","date":"December 29, 2018","format":false,"excerpt":"This post talks about how you can install Linode Longview on Fedora 28. Why doesn't the standard instructions work? It turns out that you cannot just install Linode Longview on Fedora 28 as it isn't a supported operating system. When running the automatic install script the following error will appear.\u2026","rel":"","context":"In "Fixes"","block_context":{"text":"Fixes","link":"https:\/\/chewett.co.uk\/blog\/category\/fixes\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/12\/installing_linode_longview.jpg?fit=800%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/12\/installing_linode_longview.jpg?fit=800%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/12\/installing_linode_longview.jpg?fit=800%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/12\/installing_linode_longview.jpg?fit=800%2C800&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":484,"url":"https:\/\/chewett.co.uk\/blog\/484\/virtualbox-guest-additions-fedora\/","url_meta":{"origin":490,"position":5},"title":"Virtualbox Guest additions on Fedora","author":"Chewett","date":"July 26, 2017","format":false,"excerpt":"This post describes how to install virtualbox guest additions on a Fedora virtual machine. Virtualbox guest additions adds a couple of features to running Fedora on virtualbox. Some of the useful features are shared folders, mouse pointer support, shared clipboard and better video driver support. The primary reason I install\u2026","rel":"","context":"In "Informational"","block_context":{"text":"Informational","link":"https:\/\/chewett.co.uk\/blog\/category\/informational\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2017\/07\/fedora_on_virtualbox.jpg?fit=800%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2017\/07\/fedora_on_virtualbox.jpg?fit=800%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2017\/07\/fedora_on_virtualbox.jpg?fit=800%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2017\/07\/fedora_on_virtualbox.jpg?fit=800%2C800&ssl=1&resize=700%2C400 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/posts\/490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=490"}],"version-history":[{"count":6,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/posts\/490\/revisions"}],"predecessor-version":[{"id":554,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/posts\/490\/revisions\/554"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/media\/556"}],"wp:attachment":[{"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}