THe AlmaLinux logo which is a ring of people with their hands meeting in the center. Each person is a different color, and it ends up looking like a rainbow flower shape

Alma Linux Certbot Install

Leave a Comment / Nerding Out, Alma Adventures / By / LetsEncrypt, alma, Apache, certbot, cockpit

The magic moment is here. We have Apache, we have snapd, it is time for

A strange blue cyber background with black lines going vertical and horizontal. The image of a woman takes up a third of the frame and she is starting at a the small image of a meme where someone is wearing a rainbow afro. "Support MindFuel Blog on Patreon" is meticulously crafted into a graphical overlay which obfuscates part of the underlying artistry. So sad.

Remove any old Certbot, and install new Certbot

sudo dnf remove certbot
sudo snap install --classic certbot

ERROR: I tried running the install right away, and go this error

FIX: Waiting a couple minutes and trying again resolved this issue, and I got Certbot 2.6.0.

More symbolic linking to glue Certbot into place

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Using Certbot

Alright, with certbot in place, there are a couple options (See the instructions page), but I just wanted to try the easiest version first

sudo certbot --apache

Certbot will prompt you for the virtual hosts (they must already be configured in Apache on port 80) and maybe your email address. Then it will set about obtaining the requested SSL certs

ERROR: If you get an error like:

FIX: Go back to the Apache installation post, and be sure your Virtual Host is configured.

Revisiting Apache

I am basing these instructions from this Stack Overflow post – as it states, we are not quite out of the woods. First, uncomment out the 443 lines previously commented out (or if you skipped them, now is the time to append them to the previous text in that file) from the /etc/httpd/conf.d/yourdomain.conf file

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName yourDomainName.com
    DocumentRoot /var/www/html
    ServerAlias www.yourDomainName.com
    ErrorLog /var/www/error.log
    CustomLog /var/www/requests.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
LogLevel alert rewrite:trace3
SSLCertificateFile /etc/letsencrypt/live/yourDomainName.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourDomainName.com/privkey.pem
</VirtualHost>
</IfModule>

Certbot already modified my .conf file for me, but you will need something like the below in your port 80 config, so the site automatically redirects to port 443:

#this goes in at the bottom 3 lines of the VirtualHost *:80 section
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

now it is time to restart Apache and see how we did, yeah?

sudo systemctl restart httpd

My domain automatically redirected and the browser reports the domain is secured

Addendum for Cockpit Users

I use Cockpit – it is handy. And Cockpit is smart enough to want SSL in its life, but it looks in a different path to get its info. This article contains more detail, but in essence, while Certbot will happily auto-renew certs going forward, we need a script to run that will copy those certs over to Cockpit as needed. Apparently there is a hook just for this purpose!

NOTE: Replace YourDomain.TLD with the fully qualified domain name you are using (e.g. server123.megapizza.net)

#!/usr/bin/env bash

echo "LetsEncrypt Hook: Copying renewed SSL certs to Cockpit"

cp /etc/letsencrypt/live/YourDomain.TLD/fullchain.pem /etc/cockpit/ws-certs.d/YourDomain.TLD.crt
cp /etc/letsencrypt/live/YourDomain.TLD/privkey.pem /etc/cockpit/ws-certs.d/YourDomain.TLD.key

echo "LetsEncrypt Hook: Restarting Cockpit"
systemctl restart cockpit

I guess in about 89 days, I will know if that worked. But that’s it! We have Alma Linux, Apache, Snap and Certbot delivering SSL happiness!

Let’s enjoy it until we figure out the post-quantum option 🙂

Leave a Comment

Your email address will not be published. Required fields are marked *