8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23ai | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » Linux » Here

Let's Encrypt - Free Certificates on Oracle Linux (CertBot)

Let’s Encrypt is a free, automated, and open certificate authority (CA) that provides digital certificates to enable HTTPS (SSL/TLS) for websites, for free! There are some things to note when using this service.

This article shows you how to use Let's Encrypt to get free certificates for publicly facing web servers. This article uses Oracle Linux 7 as an example, but the process is similar in Oracle Linux 6 also.

Related articles.


The commands in this section need to be run as the "root" user. If you are not the "root" user, add "sudo " in front of every command to run then from your admin user.

For OL7 you will need to enable the "Optional" repository.

# OL7
yum install -y yum-utils
yum-config-manager --enable ol7_optional_latest

Enable the EPEL repository for your Oracle Linux version. If you want to use the Oracle Linux repository for this, issue the following command.

# OL7
yum-config-manager --enable ol7_developer_EPEL

# OL8
dnf install -y oracle-epel-release-el8

Alternatively, use the official EPEL release.

# OL7
cd /tmp
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh /tmp/epel-release-latest-7.noarch.rpm

# OL8
cd /tmp
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
rpm -Uvh /tmp/epel-release-latest-8.noarch.rpm

Install snap. You can get full instructions here.

# OL7
yum install -y snapd
systemctl enable --now snapd.socket
systemctl start snapd
ln -s /var/lib/snapd/snap /snap

# OL8
dnf install -y snapd
systemctl enable --now snapd.socket
systemctl start snapd
ln -s /var/lib/snapd/snap /snap

Install and refresh core.

snap install core
snap refresh core

Finally, install CertBot.

snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

Generate New Certificates

Depending on the operating systems, web server and client being used, there may be a command that will automatically download and install the certificate for you. I prefer to do the configuration myself, so the examples below just downloads a new certificate. They assume you already have the servers running and publicly visible.

# For Apache:

/usr/bin/certbot certonly --webroot -w /var/www/html --email root@example.com -d example.com -d www.example.com

# For Tomcat:

/usr/bin/certbot certonly --webroot -w $CATALINA_HOME/webapps/ROOT --email root@example.com -d example.com -d www.example.com

We have had to provide several bits of information.

The first time you run this command it will install any dependencies using Yum, which is my you need to make sure the correct repositories are enabled in the previous section. It will also ask you to agree to the terms and conditions.

Once complete you will have a new directory structure created under "/etc/letsencrypt". If you are handling multiple domains from your web server you can make multiple requests, one per domain. You will then see additional domain-specific subdirectories under the "archive" and "live" directories.


You will also find logs under the following directory.


Configure Apache

The latest certificate for "example.com" will always be under the "/etc/letsencrypt/live/example.com" directory. The certificate entries in your Apache "httpd.conf" file should reference that location, as shown in the example below.

<VirtualHost *:443>
    ServerName example.com
    Serveralias www.example.com
    DocumentRoot /var/www/html
    ErrorLog /var/log/httpd/example.com-error_log
    CustomLog /var/log/httpd/example.com-access_log combined

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    SSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pem

Configure Tomcat

You can read how to configure Tomcat to use HTTPS here. This example uses the certificates generated by CertBot.

Configure NGINX

The latest certificate for "example.com" will always be under the "/etc/letsencrypt/live/example.com" directory. The certificate entries in your site-specific configuration file under the "/etc/nginx/conf.d" directory should reference that location, as shown in the example below.

  server {
   listen 80;
   #listen [::]:80 ipv6only=on;
   listen 443 ssl;
   #listen [::]:443 ipv6only=on ssl;

    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;

    # Disable SSLv3
    ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    #ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem
    resolver valid=300s;
    resolver_timeout 5s;

    root /usr/share/nginx/html;
    index index.html;
    location / {
      try_files $uri $uri/ /index.html;

Renew Certificates

Running the following command will renew any certificates that are due for renewal.

/usr/bin/certbot renew

To run in silent mode do the following.

/usr/bin/certbot renew --quiet

Use "--post-hook" to run a command if any certificates were replaced. In the example below Apache is restarted if any certificates are renewed.

/usr/bin/certbot renew --quiet --post-hook "systemctl restart httpd"

Adding the following to the crontab will attempt to renew the certificates at 22:00 every day. If a certificate is renewed, Apache will be restarted.

0 22 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl restart httpd"

For more information see:

Hope this helps. Regards Tim...

Back to the Top.