Difference between revisions of "Setup SSL"
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
<html> <h2><a href="https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-ubuntu/" target=_blank>Linode Doc to setup SSL Link to Linode Doc</a> </h2></html> | |||
=[[Certbot | Certbot website]]= | |||
==Installing Snapd== | ==Installing Snapd== | ||
<p class="subhead"">If snapd is not installed, install it now.</p> | |||
sudo apt update | sudo apt update | ||
Line 30: | Line 31: | ||
==Requesting a TLS/SSL Certificate Using Certbot== | ==Requesting a TLS/SSL Certificate Using Certbot== | ||
'''During the certificate granting process, Certbot asks a series of questions about the domain so it can properly request the certificate. You must agree to the terms of service and provide a valid administrative email address. Depending upon the server configuration, the messages displayed by Certbot might differ somewhat from what is shown here. | '''During the certificate granting process, Certbot asks a series of questions about the domain so it can properly request the certificate. You must agree to the terms of service and provide a valid administrative email address. Depending upon the server configuration, the messages displayed by Certbot might differ somewhat from what is shown here.''' | ||
Run Certbot to start the certificate request. When Certbot runs, it requests and installs certificate file along with a private key file. When used with the Apache plugin (--apache), Certbot also automatically edits the configuration files for Apache, which dramatically simplifies configuring HTTPS for your web server. If you prefer to manually adjust the configuration files, you can run Certbot using the certonly command.''' | Run Certbot to start the certificate request. When Certbot runs, it requests and installs certificate file along with a private key file. When used with the Apache plugin (--apache), Certbot also automatically edits the configuration files for Apache, which dramatically simplifies configuring HTTPS for your web server. If you prefer to manually adjust the configuration files, you can run Certbot using the certonly command. | ||
'''*Request a certfifcate and automatically configure it on Apache (recommended):''' | |||
sudo certbot --apache | |||
During the installation process, Certbot will prompt you for some basic information including your email address and domain name. | |||
Enter email address. The first prompt is to request an email address where Certbot can send urgent notices about the domain or registration. This should be the address of the web server administrator. | |||
Accept terms of service. Certbot next asks you to agree to the Let’s Encrypt terms of service. Use the link in the output to download the PDF file and review the document. If you agree with the terms, enter Y. Entering N terminates the certificate request. | |||
Optionally subscribe to mailing list. Certbot asks if you want to subscribe to the EFF mailing list. You can answer either Y or N without affecting the rest of the installation. | |||
Enter domain name(s). Certbot now requests a domain name for the certificate. If there is a virtual host file for the domain, Certbot displays the names of the eligible domains. Select the numbers corresponding to the domains you are requesting certificates for, separated by spaces. If the domain doesn’t appear, you can enter the name for each domain without the http or https prefix. For each domain name, you should request separate certificates with and without the www prefix. If you have more than one domain to certify, separate the names with either a space or a comma. | |||
www.example.com example.com | |||
'''Note | |||
Certbot displays the names of domains configured in the virtual host files within Apache. Select the numbers corresponding to the domains you are requesting certificates for, separated by spaces.''' | |||
'''Certbot then communicates with Let’s Encrypt to request the certificate(s) and perform any necessary challenges as defined in the ACME standard (see Challenge Types). In most cases, ownership can be proven through the HTTP challenge, which automatically adds a file on your web server. If you wish to change the challenge type or perform challenge manually, see the Manual section in the Certbot documentation.''' | |||
'''If the operation is successful, Certbot confirms the certificates are enabled and outputs the details. It also displays some information about the directories where the certificates and key chains are stored, along with the expiration date. Certificates typically expire in 90 days.''' | |||
===Testing the HTTPS Connection=== | |||
The next step is to confirm the website is properly configured to use your new certificate and is accessible over HTTPS. To do this, navigate to your website on a web browser, making sure to specify the https:// protocol when entering your URL. If a lock is visible to the left of the domain name on the browser’s address bar, the certificate is likely working as expected. If the certificate is not installed properly, the browser displays a warning page. | |||
You can also enter your domain into the SSL Server Test by Qualys SSL Labs to verify that the TLS/SSL certificate has been properly installed and configured. | |||
===Renewing a TLS/SSL Certificate Using Certbot=== | |||
Upon installation, Certbot is configured to renew any certificates automatically. It is not necessary to manually request an updated certificate or run Certbot again unless the site configuration changes. However, Certbot makes it possible to test the auto-renew mechanism or to forcibly update all certificates. | |||
===Test Automated Renewals=== | |||
To confirm Certbot is configured to renew its certificates automatically, use certbot renew along with the dry-run flag. | |||
sudo certbot renew --dry-run | |||
Certbot inspects the certificates and confirms they are not due to be renewed, but simulates the process anyway. It displays details regarding whether the renewal would have been successful. | |||
== Add additional domains== | |||
''' This will create a new certificate for the domains you are adding ''' | |||
sudo certbot --apache | |||
===Changing a Certificate’s Domains=== | |||
'''The --cert-name flag can also be used to modify the domains a certificate contains, by specifying new domains using the -d or --domains flag. If certificate example.com previously contained example.com and www.example.com, it can be modified to only contain example.com by specifying only example.com with the -d or --domains flag. Example:''' | |||
certbot certonly --cert-name example.com -d example.com | |||
'''The same format can be used to expand the set of domains a certificate contains, or to replace that set entirely:''' | |||
certbot certonly --cert-name example.com -d example.org,www.example.org | |||
=[[Linode]]= | |||
[[Category:Linode]] |
Latest revision as of 19:27, 31 August 2022
Linode Doc to setup SSL Link to Linode Doc
Certbot website
Installing Snapd
If snapd is not installed, install it now.
sudo apt update sudo apt install snapd
Install the core snap.
sudo snap install core sudo snap refresh core
Installing Certbot
The next step is to install Certbot using the snap command.
Remove any previously installed certbot packages to avoid conflicts with the new Snap package.
sudo apt remove certbot
Use Snap to install Certbot.
sudo snap install --classic certbot
Configure a symbolic link to the Certbot directory using the ln command.
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Requesting a TLS/SSL Certificate Using Certbot
During the certificate granting process, Certbot asks a series of questions about the domain so it can properly request the certificate. You must agree to the terms of service and provide a valid administrative email address. Depending upon the server configuration, the messages displayed by Certbot might differ somewhat from what is shown here.
Run Certbot to start the certificate request. When Certbot runs, it requests and installs certificate file along with a private key file. When used with the Apache plugin (--apache), Certbot also automatically edits the configuration files for Apache, which dramatically simplifies configuring HTTPS for your web server. If you prefer to manually adjust the configuration files, you can run Certbot using the certonly command. *Request a certfifcate and automatically configure it on Apache (recommended):
sudo certbot --apache
During the installation process, Certbot will prompt you for some basic information including your email address and domain name.
Enter email address. The first prompt is to request an email address where Certbot can send urgent notices about the domain or registration. This should be the address of the web server administrator.
Accept terms of service. Certbot next asks you to agree to the Let’s Encrypt terms of service. Use the link in the output to download the PDF file and review the document. If you agree with the terms, enter Y. Entering N terminates the certificate request.
Optionally subscribe to mailing list. Certbot asks if you want to subscribe to the EFF mailing list. You can answer either Y or N without affecting the rest of the installation.
Enter domain name(s). Certbot now requests a domain name for the certificate. If there is a virtual host file for the domain, Certbot displays the names of the eligible domains. Select the numbers corresponding to the domains you are requesting certificates for, separated by spaces. If the domain doesn’t appear, you can enter the name for each domain without the http or https prefix. For each domain name, you should request separate certificates with and without the www prefix. If you have more than one domain to certify, separate the names with either a space or a comma.
www.example.com example.com
Note Certbot displays the names of domains configured in the virtual host files within Apache. Select the numbers corresponding to the domains you are requesting certificates for, separated by spaces.
Certbot then communicates with Let’s Encrypt to request the certificate(s) and perform any necessary challenges as defined in the ACME standard (see Challenge Types). In most cases, ownership can be proven through the HTTP challenge, which automatically adds a file on your web server. If you wish to change the challenge type or perform challenge manually, see the Manual section in the Certbot documentation.
If the operation is successful, Certbot confirms the certificates are enabled and outputs the details. It also displays some information about the directories where the certificates and key chains are stored, along with the expiration date. Certificates typically expire in 90 days.
Testing the HTTPS Connection
The next step is to confirm the website is properly configured to use your new certificate and is accessible over HTTPS. To do this, navigate to your website on a web browser, making sure to specify the https:// protocol when entering your URL. If a lock is visible to the left of the domain name on the browser’s address bar, the certificate is likely working as expected. If the certificate is not installed properly, the browser displays a warning page.
You can also enter your domain into the SSL Server Test by Qualys SSL Labs to verify that the TLS/SSL certificate has been properly installed and configured.
Renewing a TLS/SSL Certificate Using Certbot
Upon installation, Certbot is configured to renew any certificates automatically. It is not necessary to manually request an updated certificate or run Certbot again unless the site configuration changes. However, Certbot makes it possible to test the auto-renew mechanism or to forcibly update all certificates.
Test Automated Renewals
To confirm Certbot is configured to renew its certificates automatically, use certbot renew along with the dry-run flag.
sudo certbot renew --dry-run
Certbot inspects the certificates and confirms they are not due to be renewed, but simulates the process anyway. It displays details regarding whether the renewal would have been successful.
Add additional domains
This will create a new certificate for the domains you are adding
sudo certbot --apache
Changing a Certificate’s Domains
The --cert-name flag can also be used to modify the domains a certificate contains, by specifying new domains using the -d or --domains flag. If certificate example.com previously contained example.com and www.example.com, it can be modified to only contain example.com by specifying only example.com with the -d or --domains flag. Example:
certbot certonly --cert-name example.com -d example.com
The same format can be used to expand the set of domains a certificate contains, or to replace that set entirely:
certbot certonly --cert-name example.com -d example.org,www.example.org