This wiki was updated to MediaWiki 1.37. If you notice any issues, please report them to admin[at]opensuse.org

Let’s Encrypt

Jump to: navigation, search

This page provide basic instructions for using Let's Encrypt SSL certificates on your web server. Let's Encrypt SSL is a free CA.

Certbot

Certbot is the most famous tool regarding certificate acquision from Let's Encrypt. In May 2022, Certbot needs to be installed using snapper from the Snap Store.

Add snapper repo

zypper addrepo --refresh https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.3 snappy

For other versions of the distribution you may need to replace openSUSE_Leap_15.3 by the proper version.

Install snapd and certbot

The command snap installs software from the Snap Store and uses snapd, the snap daemon.

sudo zypper install snapd
sudo zypper --gpg-auto-import-keys refresh
sudo systemctl enable snapd.service
sudo systemctl start snapd.service
systemctl enable snapd.apparmor.service
systemctl start snapd.apparmor.service
snap install core ; snap refresh core
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/

The last line provides certbot as command.

Icon-expand.png This article is a stub!
This article needs to be expanded. You are welcome to help in line with the Style Guidelines.

The rest of this page is in need of a revision, it may or may not work the way it is described.

Modify configuration

For Leap 42.x

By default, certbot use a test CA, which will only issue invalid SSL certificates. To use production CA of Let's Encrypt, you need to edit /etc/certbot/cli.ini

Change:

# The staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory
# The productive server.
# server = https://acme-v01.api.letsencrypt.org/directory

to:

# The staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# The productive server.
server = https://acme-v01.api.letsencrypt.org/directory

Run

sudo update-ca-certificates

If you are using Apache:

sudo certbot --apache

If you are using Nginx:

sudo certbot --nginx

Then the Certbot reads all your existing Apache/Nginx virtual host config files and determin which domains could enable SSL certificates. After that, you will see an interactive dialog appear:

Certbot dialog choose domains.png

(Sorry for Chinese characters in screenshot. The left button is "OK", and the right is "Cancel")

In above dialog, use Up and Down to navigate, Space key to select/unselect domains that you want to apply HTTPS connection. Then press Enter key. Next screen:

Certbot dialog redirect.png

You can those whether to redirect HTTP to HTTPS or not. Redirect is recommand for security. If security is what you want, choose Secure. However, if you have some clients requiring HTTP, choose Easy. Then press Enter. Next screen:

Certbot dialog success.png

You do NOT need to restart Apache or Nginx server.

Test in browser

Open your web browser, visit your website start with "https://" and see if you get a green lock symbol before the URL, and here is no warnings.

You can also test your website on SSL Labs.

Automate renew

Let's Encrypt certificates are only valid for 90 days. To reduce your work, we recommend using Crontab to run renew job every month.

Edit /etc/cron.d/certbot.cron, and uncomment the renew line:

# renew all certificates methode: renew
10 5 1 * *  root    /usr/bin/certbot renew

Reference

uacme

There is an alternative and handy solution for obtaining certificate from Let's Encrypt. That is uacme (https://github.com/ndilieto/uacme).

Installation

If you are using openSUSE Tumbleweed or Leap 15.3 or later, you can install with zypper (no need to add repository, provided in standard repository):

zypper in uacme

How to use

As written in the github page (https://github.com/ndilieto/uacme), uacme is a minimal tool. In fact, there is no support for challenges (http/dns etc.) in uacme itself, so you should use together with hook programs. If you want to use http challange (probably this is the most common case), you can use the hook program /usr/share/uacme/uacme.sh.

For example:

 # Create uacme directories
 mkdir /etc/ssl/uacme /etc/ssl/uacme/private 
 # Create new key (using mail address)
 uacme new mail_address@example.org
 # Create acme-challenge directory
 mkdir /srv/www/htdocs/.well-known/acme-challenge
 # Issue (replace "example.org" for your FQDN)
 # (If you want to issue a certificate for multiple FQDNs, specify them separated by spaces)
 uacme -h /usr/share/uacme/uacme.sh issue example.org

That's all. If "uacme issue" command generates nothing, it means successful.

You can find the issued certificate at "/etc/ssl/uacme/example.org/cert.pem". and the correspoding private key at "/etc/ssl/uacme/private/example.org/key.pem".

FAQ

  • If you want to use another document root directory other than /srv/www/htdocs, specify it with "UACME_CHALLENGE_PATH" environment variable (including "/.well-known/acme-challenge").

Reference