8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » Linux » Here

Let's Encrypt - Free Certificates on Oracle Linux (CertBot)

Let’s Encrypt is a free, automated, and open certificate authority (CA) that provides digital certificates to enable HTTPS (SSL/TLS) for websites, for free! There are some things to note when using this service.

This article shows you how to use Let's Encrypt to get free certificates for publicly facing web servers. This article uses Oracle Linux 7 as an example, but the process is similar in Oracle Linux 6 also.

Related articles.

Installation

You will need to enable the "Optional" repository.

yum install -y yum-utils
yum-config-manager --enable ol7_optional_latest

Enable the EPEL repository for your Oracle Linux version. If you want to use the Oracle Linux repository for this, issue the following command.

yum-config-manager --enable ol7_developer_EPEL

Alternatively, use the official EPEL release.

# cd /tmp
# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -Uvh /tmp/epel-release-latest-7.noarch.rpm

Finally, install CertBot.

# yum install python-certbot-apache -y

Generate New Certificates

Depending on the operating systems and web server being used, there may be a command that will automatically download and install the certificate for you. I prefer to do the configuration myself, so the example below just downloads a new certificate.

For Apache:

# certbot certonly --webroot -w /var/www/html --email root@example.com -d example.com -d www.example.com

For Tomcat:

# certbot certonly --webroot -w $CATALINA_HOME/webapps/ROOT --email root@example.com -d example.com -d www.example.com

We have had to provide several bits of information.

Once complete you will have a new directory structure created under "/etc/letsencrypt". If you are handling multiple domains from your web server you can make multiple requests, one per domain. You will then see additional domain-specific subdirectories under the "archive" and "live" directories.

/etc/letsencrypt/csr
/etc/letsencrypt/archive/example.com
/etc/letsencrypt/renewal
/etc/letsencrypt/live/example.com
/etc/letsencrypt/live
/etc/letsencrypt/keys
/etc/letsencrypt/accounts

Configure Apache

The latest certificate for "example.com" will always be under the "/etc/letsencrypt/live/example.com" directory. The certificate entries in your Apache "httpd.conf" file should reference that location, as shown in the example below.

<VirtualHost *:443>
    ServerName example.com
    Serveralias www.example.com
    DocumentRoot /var/www/html
    ErrorLog /var/log/httpd/example.com-error_log
    CustomLog /var/log/httpd/example.com-access_log combined

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    SSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>

Configure Tomcat

You can read how to configure Tomcat to use HTTPS here. This example uses the certificates generated by CertBot.

Configure NGINX

The latest certificate for "example.com" will always be under the "/etc/letsencrypt/live/example.com" directory. The certificate entries in your site-specific configuration file under the "/etc/nginx/conf.d" directory should reference that location, as shown in the example below.

  server {
   listen 80;
   #listen [::]:80 ipv6only=on;
   listen 443 ssl;
   #listen [::]:443 ipv6only=on ssl;

    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    # Disable SSLv3
    ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    #ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    root /usr/share/nginx/html;
    index index.html;
    location / {
      try_files $uri $uri/ /index.html;
    }
  }

Renew Certificates

Running the following command will renew any certificates that are due for renewal.

# /bin/certbot renew

To run in silent mode do the following.

# /bin/certbot renew --quiet

Use "--post-hook" to run a command if any certificates were replaced. In the example below Apache is restarted if any certificates are renewed.

# /bin/certbot renew --quiet --post-hook "systemctl restart httpd"

Adding the following to the crontab will attempt to renew the certificates at 22:00 every day. If a certificate is renewed, Apache will be restarted.

0 22 * * * /bin/certbot renew --quiet --post-hook "systemctl restart httpd"

For more information see:

Hope this helps. Regards Tim...

Back to the Top.