Getting a X.509 certificate via Let's Encrypt
- Ole Ernst
- Nino Ryschawy
- Patrick Reichel
We will create a X.509 certificate (to get a green padlock in the browser url bar) using the script acme-tiny, which will communicate to the Let's Encrypt CA.
Therefore your provisioning server needs to have a valid domain name, resolving to a public IP address. Furthermore we need to open the HTTP port (tcp/80).
1.1.1.1.1. Opening the HTTP port
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --reloadAfterwards we can request a certificate via:
1.1.1.1.2. Requesting a certificate
# install acme-tiny
yum install acme-tiny
# generate an account.key - if you don't have it yet - otherwise just move it into this location
openssl genrsa 4096 > /var/lib/acme/private/account.key
# set the correct permissions
chown acme:acme /var/lib/acme/private/account.key
chmod 0400 /var/lib/acme/private/account.key
# create a private key and a key signing request for the domain demo.nmsprime.com
cn='demo.nmsprime.com'
# EITHER generate a certificate signing request for $cn only
openssl req -new -nodes -keyout "/etc/pki/tls/private/$cn.key" -subj "/CN=$cn" -out "/var/lib/acme/csr/$cn.csr"
# OR generate a certificate signing request for multiple hostnames (e.g. $cn and www.$cn)
openssl req -new -nodes -keyout "/etc/pki/tls/private/$cn.key" -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$cn,DNS:www.$cn")) -out "/var/lib/acme/csr/$cn.csr"
chmod 0400 "/etc/pki/tls/private/$cn.key"
chmod 0644 "/var/lib/acme/csr/$cn.csr"
# download currently active intermediate certificate, please check its validity against https://letsencrypt.org/certificates
curl -L -o /var/lib/acme/r10.pem https://letsencrypt.org/certs/2024/r10.pem
# reload apache, and run the script
systemctl reload httpd
systemctl enable acme-tiny.timer
systemctl start acme-tiny.timer
# for a later renewal of certificates (in case you add more subdomains) you can use this
systemctl restart acme-tiny.service
# check your logs (journalctl or /var/log/messages) to see if everything went fine, if so adapt you nmsprime apache conf
# restart acme-tiny in case sth failed by: systemctl restart acme-tiny.service
sed -e "s|SSLCertificateFile.*|SSLCertificateFile /var/lib/acme/certs/$cn.crt|" \
-e "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/pki/tls/private/$cn.key\n\
SSLCertificateChainFile /var/lib/acme/r10.pem|" \
-i /etc/httpd/conf.d/nmsprime-{acs,admin,ccc}.conf
# to use the new certificates, reload apache
systemctl reload httpd
# remove unused self-signed certificates
rm /etc/httpd/ssl/httpd.{key,pem}
rmdir /etc/httpd/sslOur current complete command for all certificates on the repo-server (deployment-server)
openssl req -new -nodes -keyout "/etc/pki/tls/private/repo.nmsprime.com.key" -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:konferenz.nmsprime.com,DNS:repo.nmsprime.com,DNS:repo.roetzer-engineering.com,DNS:support.nmsprime.com,DNS:www.konferenz.nmsprime.com,DNS:conference.nmsprime.com,DNS:www.conference.nmsprime.com,DNS:repo.nmsprime.com")) -out "/var/lib/acme/csr/repo.nmsprime.com.csr"If you would like to change the default seven days validity check of acme-tiny to e.g. 14 days (i.e. acme-tiny should try renewing the certificate two weeks before the end of the current validity time) run the following commands to create a systemd drop-in, which will survive updates to the package acme-tiny: