How to Get Let's Encrypt SSL on CentOS 8
Let's Encrypt is a certificate authority that allows anyone to get a free SSL/TLS certificate and provide encryption for their services (web server, email, etc.). In addition, the Certbot client allows you to automate many processes. After the server is configured correctly, you can get a certificate in a few minutes, and then renew it automatically. To do this, you must ensure that the following points are met:
- Your server has a public IP address;
- You have a domain name. In this tutorial domain-name.com used as an example, replace it with yours FQDN;
- The DNS A record of your domain name contains the IP address of your server.
Installing snapd
Certbot developers recommend using snapd to automatically manage and maintain your package. Let’s install it.
dnf install epel-release; dnf install snapd
Now, start and enable it.
systemctl enable --now snapd.socket
You also need to create the following symbolic link to enable classic snap support.
ln -s /var/lib/snapd/snap /snap
After that reboot your system.
reboot
Make sure that the latest version is installed.
snap install core; snap refresh core
Installing Certbot
Make sure that there is no Certbot on your system.
dnf remove certbot
Install Cerbot.
snap install --classic certbot
Add the following symbolic link to ensure successful launch of Certbot.
ln -s /snap/bin/certbot /usr/bin/certbot
Ways to get an SSL certificate Let's Encrypt
When running Certbot challenge you can enter multiple domain names of your site as aliases when prompted. For example, domain-name.com, www.domain-name.com.
If you don't have any web server running, use this command and follow the instructions:
certbot certonly --standalone
It uses the HTTP port to check the response when accessing the domain name. If your web server is already running and you don't want to stop it, use the following one. You will be asked to enter the domain name and its webroot to confirm your rights to it.
certbot certonly --webroot
Wildcard SSL certificate and DNS challenge
Another way to verify your rights to a domain name and its server is DNS challenge. And this is the only way to get a wildcard SSL certificate. You must have access to manage your site's DNS records. Use this command and follow the instructions:
certbot certonly --manual --preferred-challenges dns -d domain-name.com -d *.domain-name.com
Automatic certificate renewal
During the installation of Certobot, automatic certificate updates are configured. This is a timer that will check for certificates which will expire soon in the system and update them. To see if it is configured, look here:
systemctl list-timers | grep certbot
If you see no output, you can check here:
cat /etc/crontab
cat /etc/cron.*/*
To test the automatic renewal process, run:
certbot renew --dry-run