8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » Linux » Here

Let's Encrypt - Free Certificates on Oracle Linux (CertBot)

Let’s Encrypt is a free, automated, and open certificate authority (CA) that provides digital certificates to enable HTTPS (SSL/TLS) for websites, for free! There are some things to note when using this service.

This article shows you how to use Let's Encrypt to get free certificates for publicly facing web servers. This article uses Oracle Linux 7 as an example, but the process is similar in Oracle Linux 6 also.

Related articles.

Installation

The commands in this section need to be run as the "root" user. If you are not the "root" user, add "sudo " in front of every command to run then from your admin user.

You will need to enable the "Optional" repository.

yum install -y yum-utils
yum-config-manager --enable ol7_optional_latest

Enable the EPEL repository for your Oracle Linux version. If you want to use the Oracle Linux repository for this, issue the following command.

yum-config-manager --enable ol7_developer_EPEL

Alternatively, use the official EPEL release.

cd /tmp
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh /tmp/epel-release-latest-7.noarch.rpm

Finally, install CertBot. I originally used the Yum installation for this, but more recent versions of RHEL7/OL7/CentOS7 can have problems when running the certbot command, as pointed out by Todd Sharp, so I've switched to using the Other UNIX installation.

cd /tmp
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto

Generate New Certificates

Depending on the operating systems, web server and client being used, there may be a command that will automatically download and install the certificate for you. I prefer to do the configuration myself, so the examples below just downloads a new certificate. They assume you already have the servers running and publicly visible.

# For Apache:

/usr/local/bin/certbot-auto certonly --webroot -w /var/www/html --email root@example.com -d example.com -d www.example.com

# For Tomcat:

/usr/local/bin/certbot-auto certonly --webroot -w $CATALINA_HOME/webapps/ROOT --email root@example.com -d example.com -d www.example.com

We have had to provide several bits of information.

The first time you run this command it will install any dependencies using Yum, which is my you need to make sure the correct repositories are enabled in the previous section. It will also ask you to agree to the terms and conditions.

Once complete you will have a new directory structure created under "/etc/letsencrypt". If you are handling multiple domains from your web server you can make multiple requests, one per domain. You will then see additional domain-specific subdirectories under the "archive" and "live" directories.

/etc/letsencrypt/csr
/etc/letsencrypt/archive/example.com
/etc/letsencrypt/renewal
/etc/letsencrypt/live/example.com
/etc/letsencrypt/live
/etc/letsencrypt/keys
/etc/letsencrypt/accounts

You will also find logs under the following directory.

/var/log/letsencrypt/

Configure Apache

The latest certificate for "example.com" will always be under the "/etc/letsencrypt/live/example.com" directory. The certificate entries in your Apache "httpd.conf" file should reference that location, as shown in the example below.

<VirtualHost *:443>
    ServerName example.com
    Serveralias www.example.com
    DocumentRoot /var/www/html
    ErrorLog /var/log/httpd/example.com-error_log
    CustomLog /var/log/httpd/example.com-access_log combined

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    SSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>

Configure Tomcat

You can read how to configure Tomcat to use HTTPS here. This example uses the certificates generated by CertBot.

Configure NGINX

The latest certificate for "example.com" will always be under the "/etc/letsencrypt/live/example.com" directory. The certificate entries in your site-specific configuration file under the "/etc/nginx/conf.d" directory should reference that location, as shown in the example below.

  server {
   listen 80;
   #listen [::]:80 ipv6only=on;
   listen 443 ssl;
   #listen [::]:443 ipv6only=on ssl;

    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    # Disable SSLv3
    ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    #ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    root /usr/share/nginx/html;
    index index.html;
    location / {
      try_files $uri $uri/ /index.html;
    }
  }

Renew Certificates

Running the following command will renew any certificates that are due for renewal.

/usr/local/bin/certbot-auto renew

To run in silent mode do the following.

/usr/local/bin/certbot-auto renew --quiet

Use "--post-hook" to run a command if any certificates were replaced. In the example below Apache is restarted if any certificates are renewed.

/usr/local/bin/certbot-auto renew --quiet --post-hook "systemctl restart httpd"

Adding the following to the crontab will attempt to renew the certificates at 22:00 every day. If a certificate is renewed, Apache will be restarted.

0 22 * * * /usr/local/bin/certbot-auto renew --quiet --post-hook "systemctl restart httpd"

For more information see:

Hope this helps. Regards Tim...

Back to the Top.