![]() |
Lets encrypt a Fedora server - Printable Version +- Hackonology Forums (https://hackonology.com/forum) +-- Forum: Technology & Configuration (https://hackonology.com/forum/forumdisplay.php?fid=3) +--- Forum: System Configuration (https://hackonology.com/forum/forumdisplay.php?fid=4) +--- Thread: Lets encrypt a Fedora server (/showthread.php?tid=538) |
Lets encrypt a Fedora server - SysAdmin - 07-15-2021 I was looking for a simple letsencrypt tutorial for my home server running Fedora but it looks like the official (and quite capable) certbot is not availble in Fedora repos. So I have decided to go a more simple route of using acme-tiny shell script which is present and does the same, at least if you are running Apache httpd. First off, install Apache httpd, SSL support and acme script itself: Code: # dnf install httpd mod_ssl acme-tiny Let’s assume that the Apache server is already serving some files and is available on the desired domain via HTTP (not HTTPS yet): Code: # systemctl enable --now httpd We are almost there, trust me. Generate a new certificate request. OpenSSL tool will ask several questions like name, organization and this stuff. Make sure that the Common Name (CN) is correct. Code: # cd /etc/pki/tls The next step is the actual communication with the authority, putting the challenge hash into Code: /var/www/challenges Code: # systemctl start acme-tiny See system journal for any errors. If you encounter one, just start the script manually but make sure to use acme user account not root: Code: # su acme -s /bin/bash And that’s really all! You should have your certificate signed by letsencrypt now. Configure the desired software to use the new certificate and the key from the following paths: Code: # find /var/lib/acme /etc/pki/tls/private For example I want to actually configure the Apache httpd itself: Code: # grep zapletalovi /etc/httpd/conf.d/ssl.conf If you are like me and running under SELinux enforcing, make sure that the newly generated certificates have the proper label: Code: # semanage fcontext -a -f a -t cert_t '/var/lib/acme/certs(/.*)?' The final and the most important step - enable systemd timer which will automatically extend the certificate for you: Code: # systemctl enable --now acme-tiny.timer That was easy. |