8i | 9i | 10g | 11g | 12c | 13c | 18c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » Linux » Here

Let's Encrypt - Free Certificates on Oracle Linux (CertBot)

Let’s Encrypt is a free, automated, and open certificate authority (CA) that provides digital certificates to enable HTTPS (SSL/TLS) for websites, for free! There are some things to note when using this service.

This article shows you how to use Let's Encrypt to get free certificates for publicly facing web servers. This article uses Oracle Linux 7 as an example, but the process is similar in Oracle Linux 6 also.

Related articles.

Installation

You will need to enable the "Optional" repository in the Oracle Linux repository file (/etc/yum.repos.d/public-yum-ol7.repo) by making sure the "enabled" flag is set to "1".

[ol7_optional_latest]
name=Oracle Linux $releasever Optional Latest ($basearch)
baseurl=http://yum.oracle.com/repo/OracleLinux/OL7/optional/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1

Enable the EPEL repository for your Oracle Linux version.

# cd /tmp
# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rmp -Uvh /tmp/epel-release-latest-7.noarch.rpm

Finally, install CertBot.

# yum install python-certbot-apache -y

Generate New Certificates

Depending on the operating systems and web server being used, there may be a command that will automatically download and install the certificate for you. I prefer to do the configuration myself, so the example below just downloads a new certificate.

For Apache:

# certbot certonly --webroot -w /var/www/html --email root@example.com -d example.com -d www.example.com

For Tomcat:

# certbot certonly --webroot -w $CATALINA_HOME/webapps/ROOT --email root@example.com -d example.com -d www.example.com

We have had to provide several bits of information.

Once complete you will have a new directory structure created under "/etc/letsencrypt". If you are handling multiple domains from your web server you can make multiple requests, one per domain. You will then see additional domain-specific subdirectories under the "archive" and "live" directories.

/etc/letsencrypt/csr
/etc/letsencrypt/archive/example.com
/etc/letsencrypt/renewal
/etc/letsencrypt/live/example.com
/etc/letsencrypt/live
/etc/letsencrypt/keys
/etc/letsencrypt/accounts

Configure Apache

The latest certificate for "example.com" will always be under the "/etc/letsencrypt/live/example.com" directory. The certificate entries in your Apache "httpd.conf" file should reference that location, as shown in the example below.

<VirtualHost *:443>
    ServerName example.com
    Serveralias www.example.com
    DocumentRoot /var/www/html
    ErrorLog /var/log/httpd/example.com-error_log
    CustomLog /var/log/httpd/example.com-access_log combined

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    SSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>

Configure Tomcat

You can read how to configure Tomcat to use HTTPS here. This example uses the certificates generated by CertBot.

Renew Certificates

Running the following command will renew any certificates that are due for renewal.

# /bin/certbot renew

To run in silent mode do the following.

# /bin/certbot renew --quiet

Use "--post-hook" to run a command if any certificates were replaced. In the example below Apache is restarted if any certificates are renewed.

# /bin/certbot renew --quiet --post-hook "systemctl restart httpd"

Adding the following to the crontab will attempt to renew the certificates at 22:00 every day. If a certificate is renewed, Apache will be restarted.

0 22 * * * /bin/certbot renew --quiet --post-hook "systemctl restart httpd"

For more information see:

Hope this helps. Regards Tim...

Back to the Top.