07.06.2023

How to Get Let's Encrypt SSL on CentOS 8

Let's Encrypt is a certificate authority that allows anyone to get a free SSL/TLS certificate and provide encryption for their services (web server, email, etc.). In addition, the Certbot client allows you to automate many processes. After the server is configured correctly, you can get a certificate in a few minutes, and then renew it automatically. To do this, you must ensure that the following points are met:

Your server has a public IP address;
You have a domain name. In this tutorial domain-name.com used as an example, replace it with yours FQDN;
The DNS A record of your domain name contains the IP address of your server.

Cloud Servers from €4 / moIntel Xeon Gold 6254 3.1 GHz CPU, SLA 99,9%, 100 Mbps channel

Installing snapd

Certbot developers recommend using snapd to automatically manage and maintain your package. Let’s install it.

dnf install epel-release; dnf install snapd

Now, start and enable it.

systemctl enable --now snapd.socket

You also need to create the following symbolic link to enable classic snap support.

ln -s /var/lib/snapd/snap /snap

After that reboot your system.

reboot

Make sure that the latest version is installed.

snap install core; snap refresh core

Installing Certbot

Make sure that there is no Certbot on your system.

dnf remove certbot

Install Cerbot.

snap install --classic certbot

Add the following symbolic link to ensure successful launch of Certbot.

ln -s /snap/bin/certbot /usr/bin/certbot

Ways to get an SSL certificate Let's Encrypt

When running Certbot challenge you can enter multiple domain names of your site as aliases when prompted. For example, domain-name.com, www.domain-name.com.
If you don't have any web server running, use this command and follow the instructions:

certbot certonly --standalone

It uses the HTTP port to check the response when accessing the domain name. If your web server is already running and you don't want to stop it, use the following one. You will be asked to enter the domain name and its webroot to confirm your rights to it.

certbot certonly --webroot

Wildcard SSL certificate and DNS challenge

Another way to verify your rights to a domain name and its server is DNS challenge. And this is the only way to get a wildcard SSL certificate. You must have access to manage your site's DNS records. Use this command and follow the instructions:

certbot certonly --manual --preferred-challenges dns -d domain-name.com -d *.domain-name.com

Automatic certificate renewal

During the installation of Certobot, automatic certificate updates are configured. This is a timer that will check for certificates which will expire soon in the system and update them. To see if it is configured, look here:

systemctl list-timers | grep certbot

If you see no output, you can check here:

cat /etc/crontab
cat /etc/cron.*/*

To test the automatic renewal process, run:

certbot renew --dry-run

Cloud Servers from €4 / moIntel Xeon Gold 6254 3.1 GHz CPU, SLA 99,9%, 100 Mbps channel