8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux
Home » Articles » Linux » Here
Let's Encrypt - Free Certificates on Oracle Linux (CertBot)
Let’s Encrypt is a free, automated, and open certificate authority (CA) that provides digital certificates to enable HTTPS (SSL/TLS) for websites, for free! There are some things to note when using this service.
- The certificates expire after 3 months, so you need to keep renewing them. This can easily be automated using CertBot.
- If you are planning to use CertBot, the web server must be publicly visible, as Let's Encrypt use a challenge mechanism to check you are the administrator of the site. It is also possible to have a private server, with a public DNS entry.
- There are sites on the net, like SSLForFree, that will help you manually generate certificates for web servers that are not publicly visible, but if you use them you will be responsible for manually changing the certificate every 3 months.
This article shows you how to use Let's Encrypt to get free certificates for publicly facing web servers. This article uses Oracle Linux 7 as an example, but the process is similar in Oracle Linux 6 also.
- Installation
- Generate New Certificates
- Configure Apache
- Configure Tomcat
- Configure NGINX
- Renew Certificates
Related articles.
- Linux HTTP Server Configuration - SSL Configuration (HTTPS)
- Apache Tomcat : Enable HTTPS - Using Certificates and Keys
Installation
The commands in this section need to be run as the "root" user. If you are not the "root" user, add "sudo " in front of every command to run then from your admin user.
For OL7 you will need to enable the "Optional" repository.
# OL7 yum install -y yum-utils yum-config-manager --enable ol7_optional_latest
Enable the EPEL repository for your Oracle Linux version. If you want to use the Oracle Linux repository for this, issue the following command.
# OL7 yum-config-manager --enable ol7_developer_EPEL # OL8 dnf install -y oracle-epel-release-el8
Alternatively, use the official EPEL release.
# OL7 cd /tmp wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -Uvh /tmp/epel-release-latest-7.noarch.rpm # OL8 cd /tmp wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm rpm -Uvh /tmp/epel-release-latest-8.noarch.rpm
Install snap. You can get full instructions here.
# OL7 yum install -y snapd systemctl enable --now snapd.socket systemctl start snapd ln -s /var/lib/snapd/snap /snap # OL8 dnf install -y snapd systemctl enable --now snapd.socket systemctl start snapd ln -s /var/lib/snapd/snap /snap
Install and refresh core.
snap install core snap refresh core
Finally, install CertBot.
snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot
Generate New Certificates
Depending on the operating systems, web server and client being used, there may be a command that will automatically download and install the certificate for you. I prefer to do the configuration myself, so the examples below just downloads a new certificate. They assume you already have the servers running and publicly visible.
# For Apache: /usr/bin/certbot certonly --webroot -w /var/www/html --email root@example.com -d example.com -d www.example.com # For Tomcat: /usr/bin/certbot certonly --webroot -w $CATALINA_HOME/webapps/ROOT --email root@example.com -d example.com -d www.example.com
We have had to provide several bits of information.
- --webroot : The utility will create a new path under the webroot path called ".well-known/acme-challenge", which contains two automatically generated challenge files. When you request the certificates LetsEncrypt checks the challenge files to make sure you are requesting the certificates for your own webserver.
- --email : The email address of the web server administrator.
- -d : The domain name you are requesting the certificate for. It makes sense to get the base domain and the "www." subdomain. You can also request additional subdomains, but all must be part of the same top-level domain.
The first time you run this command it will install any dependencies using Yum, which is my you need to make sure the correct repositories are enabled in the previous section. It will also ask you to agree to the terms and conditions.
Once complete you will have a new directory structure created under "/etc/letsencrypt". If you are handling multiple domains from your web server you can make multiple requests, one per domain. You will then see additional domain-specific subdirectories under the "archive" and "live" directories.
/etc/letsencrypt/csr /etc/letsencrypt/archive/example.com /etc/letsencrypt/renewal /etc/letsencrypt/live/example.com /etc/letsencrypt/live /etc/letsencrypt/keys /etc/letsencrypt/accounts
You will also find logs under the following directory.
/var/log/letsencrypt/
Configure Apache
The latest certificate for "example.com" will always be under the "/etc/letsencrypt/live/example.com" directory. The certificate entries in your Apache "httpd.conf" file should reference that location, as shown in the example below.
<VirtualHost *:443>
ServerName example.com
Serveralias www.example.com
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/example.com-error_log
CustomLog /var/log/httpd/example.com-access_log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
Configure Tomcat
You can read how to configure Tomcat to use HTTPS here. This example uses the certificates generated by CertBot.
Configure NGINX
The latest certificate for "example.com" will always be under the "/etc/letsencrypt/live/example.com" directory. The certificate entries in your site-specific configuration file under the "/etc/nginx/conf.d" directory should reference that location, as shown in the example below.
server {
listen 80;
#listen [::]:80 ipv6only=on;
listen 443 ssl;
#listen [::]:443 ipv6only=on ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Enable server-side protection against BEAST attacks
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# Disable SSLv3
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
# Diffie-Hellman parameter for DHE ciphersuites
# $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
#ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
root /usr/share/nginx/html;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
}
Renew Certificates
Running the following command will renew any certificates that are due for renewal.
/usr/bin/certbot renew
To run in silent mode do the following.
/usr/bin/certbot renew --quiet
Use "--post-hook" to run a command if any certificates were replaced. In the example below Apache is restarted if any certificates are renewed.
/usr/bin/certbot renew --quiet --post-hook "systemctl restart httpd"
Adding the following to the crontab will attempt to renew the certificates at 22:00 every day. If a certificate is renewed, Apache will be restarted.
0 22 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl restart httpd"
For more information see:
- Let’s Encrypt
- Linux HTTP Server Configuration - SSL Configuration (HTTPS)
- Apache Tomcat : Enable HTTPS - Using Certificates and Keys
Hope this helps. Regards Tim...