Using Let’s encrypt SSL certificates

Letsencrypt certificates are only valid for 90 days so you have to continually renew them.

  1. Install Certbot/Letsencrypt on a Linux system where we will be generating the certificates for our website (the install command below actually installs a “certbot” package):
    sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
    sudo yum install -y letsencrypt

  2. Generate the certificate (command):
$ sudo su -
# cd /etc/letsencrypt/ && certbot certonly -d 'itayemi.com,*.itayemi.com' --manual

– NOTE: the certbot command prompts you to create a DNS TXT record (you MUST do this before pressing the Enter key to continue!!)
———————————————————————

Please deploy a DNS TXT record under the name
_acme-challenge.itayemi.com with the following value:

obLL0Cludw4VpwXJuMG0AFlRryUbdb0ozHiNrgAvqx8

Before continuing, verify the record is deployed.
———————————————————————

2b. In cPanel, use “Zone Editor” in the “Domains” section to add the TXT record (e.g., _acme-challenge.itayemi.com) with the displayed value (e.g., obLL0Cludw4VpwXJuMG0AFlRryUbdb0ozHiNrgAvqx8)
———————————————————————

2c. In the Linux session, press the Enter key to continue

2d. You are prompted to create a file on your webserver (or website). You MUST do so before pressing the ENTER key to continue:
———————————————————————

Create a file containing just this data:

AKJdNT8vtAwQefuoBWItTxj9-n5K947LhmHPWdTWl0s.vrNHNIC3FVyuv2kJU8JcnmZK_lfarmjV_FDWrtWY1wc

And make it available on your web server at this URL:

http://itayemi.com/.well-known/acme-challenge/AKJdNT8vtAwQefuoBWItTxj9-n5K947LhmHPWdTWl0s
———————————————————————

2e. In cPanel, use the “File Editor” in the “Files” section to create the indicated file http://itayemi.com/.well-known/acme-challenge/vxp4GyEKqvkniMdE_20XCR2RpPiPPjfvhAqgAtC-8Hk with the indicated content e.g., (vxp4GyEKqvkniMdE_20XCR2RpPiPPjfvhAqgAtC-8Hk.vrNHNIC3FVyuv2kJU8JcnmZK_lfarmjV_FDWrtWY1wc)

  • the file is in directory /home2/itayemi/public_html/.well-known/acme-challenge/
  • use the “+File” link to the top left of the “File Manager” page to add the new file
  • then click on the file, and select the “Edit” button to edit the file to add the content,
  • then click the “Save Changes” button, then the “Close” button

———————————————————————


2f. In the Linux session, press the Enter key to continue, the process will complete and display the certificate details e.g.:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/itayemi.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/itayemi.com/privkey.pem
    Your certificate will expire on 2021-09-11. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again. To non-interactively renew all of your
    certificates, run “certbot renew”

for each domain/FQDN, select “Update Certificate” link under the “Actions” column, populate the “Certificate: (CRT)” textbox with the content of the file /etc/letsencrypt/live/itayemi.com/cert.pem on the Linux system, and populate the “Private Key (KEY)” field with the content of the file /etc/letsencrypt/live/itayemi.com/privkey.pem, then click the “Install Certificate” button.

———————————————————————


IMPORTANT NOTES:

  • Set up a local instance of Apache (httpd) webserver to be able to renew the certificates (since I don’t have direct file-system access to the actual web-server where my site is hosted unless I login via cPanel, this allows me to automate renewal of the certificate “locally”, then manually copy it to my actual site’s cPanel configuration). This is a one-time activity.
    $ sudo yum install -y httpd
    $ sudo yum install -y python2-certbot-apache
    $ sudo systemctl enable httpd
    $ sudo systemctl start httpd
  • Add a line to /etc/hosts so that all utilities know to point to “localhost” as the webserver for www.itayemi.com
    127.0.0.1 itayemi.com www.itayemi.com olutayo.itayemi.com
  • Run the command “sudo egrep -e ‘^User|^Group’ /etc/httpd/conf/httpd.conf” to know the User and Group the webserver is running as (e.g., “User apache” and “Group apache” – to be used in the next step)
  • Create the directory and files for www.itayemi.com
    sudo mkdir -p /var/www/itayemi.com/public_html
    sudo chown -R apache:apache /var/www/itayemi.com
    sudo chmod -R 755 /var/www/itayemi.com
    sudo echo “itayemi.com” > /var/www/itayemi.com/public_html/index.html
  • Create a “VirtualHost” for itayemi.com on the local Apache Server (e.g., create file /etc/httpd/conf.d/itayemi.com.conf containing the following lines):
<VirtualHost *:443>
   ServerName www.itayemi.com
   SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/localhost.crt
   SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
   DocumentRoot /var/www/itayemi.com/public_html
</VirtualHost>
<VirtualHost *:80>
   ServerName olutayo.itayemi.com
   SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/localhost.crt
   SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
   DocumentRoot /var/www/itayemi.com/public_html
</VirtualHost>
  • Restart the HTTPD server:
    $ sudo systemctl restart httpd

  • Install a root crontab entry to renew the certificates every 90-days (2:45AM on the 25th day of March,June,September, and December):

# sudo crontab -l
# autorenew certificates for *.itayemi.com which should generate new
# valid certificates every 3 months. Note that I still have to login
# to itayemi.com cpanel and update the CRT and Private key fields of each
# defined FQDN with the new certificate generated by certbot
#i.e., cert.pem and privkey.pem
45 2 25 3,6,9,12 * cd /etc/letsencrypt/ && certbot certonly --force-renewal -d 'itayemi.com,*.itayemi.com' --apache -n



  • INSTALLING THE LETSENCRYPT Certificate in cPanel (repeat every 3 months when the certificate expires):
  • Copy the updated files /etc/letsencrypt/live/itayemi.com/cert.pem and /etc/letsencrypt/live/itayemi.com/privkey.pem from the local server
  • Login to hihostnow.com.ng (Client Area) -> Select “Services” -> “My Services” from the menu
  • Click on the “Status” button to the right of the target service e.g., itayemi.com
  • Expand the “Actions” menu (left-side of page) and click on “Login to cPanel”
  • In itayemi.com cPanel, select “SSL/TLS” (under the “Security” section)
  • Select “INSTALL AND MANAGE SSL FOR YOUR SITE (HTTPS) – Manage SSL sites”
  • For each listed FQDNs/certificate row, select the “Update Certificate” link under the “Actions” column; populate the “Certificate: (CRT)” textbox with the content of the file /etc/letsencrypt/live/itayemi.com/cert.pem on the Linux system, and populate the “Private Key (KEY)” field with the content of the file /etc/letsencrypt/live/itayemi.com/privkey.pem, then click the “Install Certificate” button.

Leave a Reply

Your email address will not be published. Required fields are marked *