Fedora 40: Get SSL Certificate

Introduction

This guide covers the steps to obtain and install an SSL certificate on Fedora 40 using the 5W1H approach. We will explore the What, Who, Where, When, Why, How, Consequences, and Conclusion of getting an SSL certificate.

Overview Get SSL Certificate (Let's Encrypt)

Navbar

• Overview
• Get SSL Certificate (Let's Encrypt)

Overview

What

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection, ensuring secure data transfer between the server and clients.

Who

This guide is intended for system administrators and IT professionals responsible for securing web servers and ensuring secure communication between users and the website hosted on Fedora 40.

Where

The setup process can be carried out on any server running Fedora 40, where secure connections and data encryption are required.

When

Obtaining and installing an SSL certificate should be done before deploying a website to production to ensure all data exchanges are secure from the outset.

Why

Implementing an SSL certificate on your server offers several advantages:

Pros	Cons
Enhances security by encrypting data	Cost associated with purchasing a certificate
Boosts trust and credibility with users	Complexity in setup and renewal
Improves SEO rankings	Potential performance impact on the server

How

Follow these steps to obtain and install an SSL certificate on Fedora 40:

Step 1	Update your system: sudo dnf update -y
Step 2	Install Certbot: sudo dnf install -y certbot python3-certbot-apache
Step 3	Obtain an SSL certificate from Let's Encrypt: sudo certbot --apache, Follow the prompts to complete the process.
Step 4	Verify the certificate installation by accessing your website with HTTPS: https://your_domain
Step 5	Set up automatic renewal: sudo systemctl enable certbot-renew

Consequences

Obtaining and installing an SSL certificate on Fedora 40 can have the following consequences:

Positive	Secure communication between server and clients. Increased trust and credibility among users. Improved search engine rankings due to HTTPS.
Negative	Initial setup and configuration complexity. Ongoing management and renewal of certificates. Potential performance impact on the server.

Conclusion

Setting up an SSL certificate on Fedora 40 is crucial for ensuring secure and encrypted communication between your server and clients. While the initial setup can be complex and requires ongoing management, the benefits of enhanced security, improved user trust, and better SEO rankings make it a vital step for any website. By following this guide, system administrators can successfully implement SSL certificates, ensuring their web services are secure and trustworthy.

Get SSL Certificate (Let's Encrypt)

Get SSL Certificates from Let's Encrypt who provides Free SSL Certificates. Refer to the details for Let's Encrypt official site below. ⇒ https://letsencrypt.org/ The expiration date of a cert is 90 days. However, Systemd Timer which checks and updates certificates is included in Certbot package and you don't need to update manually.

Step [1] Install Certbot Client which is the tool to get certificates from Let's Encrypt.

                     
[root@dlp ~]# dnf -y install certbot
                    
                

Step [2]Get certificates. It needs Web server like Apache httpd or Nginx must be running on the server you work. If no Web server is running, skip this section and Refer to [3] section. Furthermore, it needs that it's possible to access from the Internet to your working server on port 80 because of verification from Let's Encrypt.

                     
# for the option [--webroot], use a directory under the webroot on your server as a working temp
# -w [document root] -d [FQDN you'd like to get certs]
# FQDN (Fully Qualified Domain Name) : Hostname.Domainname

# if you like to get certs for more than 2 FQDNs, specify all like below
# ex : if get [bizantum.lab] and [www.bizantum.lab]
# ⇒ [-d bizantum.lab -d www.bizantum.lab]

[root@dlp ~]# certbot certonly --webroot -w /var/www/html -d dns.bizantum.lab 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
# for the initial using only, register your email address and agree to the terms of use
# specify valid email address
 (Enter 'c' to cancel): root@mail.bizantum.lab

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# agree to the terms of use
(Y)es/(N)o: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: A
Account registered.
Requesting a certificate for dns.bizantum.lab

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/dns.bizantum.lab/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/dns.bizantum.lab/privkey.pem
This certificate expires on 2024-07-24.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# success if [Successfully received certificate] is shown
# certs are created under the [/etc/letsencrypt/live/(FQDN)/] directory

# cert.pem       ⇒  SSL Server cert(includes public-key)
# chain.pem      ⇒  intermediate certificate
# fullchain.pem  ⇒  combined file cert.pem and chain.pem
# privkey.pem    ⇒  private-key file
                    
                

Step [3]If no Web Server is running on your working server, it's possible to get certs with using Certbot's Web Server feature. Anyway, it needs that it's possible to access from the Internet to your working server on port 80 because of verification from Let's Encrypt.

                    
# for the option [--standalone], use Certbot's Web Server feature
# -d [FQDN you'd like to get certs]
# FQDN (Fully Qualified Domain Name) : Hostname.Domainname

# if you'd like to get certs for more than 2 FQDNs, specify all like below
# ex : if get [bizantum.lab] and [www.bizantum.lab] ⇒ specify [-d bizantum.lab -d www.bizantum.lab]

[root@dlp ~]# certbot certonly --standalone -d rx-9.bizantum.lab 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for rx-9.bizantum.lab

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/rx-9.bizantum.lab/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/rx-9.bizantum.lab/privkey.pem
This certificate expires on 2024-07-24.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                    
                

Step [4]To Update existing certificates manually, Do like follows.

                    
# update all certs which has less than 30 days expiration
# if you'd like to update certs which has more than 30 days expiration, add [--force-renew] option
[root@dlp ~]# certbot renew
                    
                

Step [5]To Update existing certificates automatically, Start services for renewals which are included in Certbot package.

                    
# Systemd Timer is included
[root@dlp ~]# systemctl cat certbot-renew.timer
# /usr/lib/systemd/system/certbot-renew.timer
[Unit]
Description=This is the timer to set the schedule for automated renewals

[Timer]
OnCalendar=*-*-* 00/12:00:00
RandomizedDelaySec=12hours
Persistent=true

[Install]
WantedBy=timers.target

[root@dlp ~]# systemctl enable --now certbot-renew.timer
[root@dlp ~]# systemctl list-timers certbot-renew.timer
NEXT                        LEFT LAST PASSED UNIT                ACTIVATES     >
Fri 2024-04-26 07:43:59 JST  17h -         - certbot-renew.timer certbot-renew.>

1 timers listed.
Pass --all to see loaded but inactive timers, too.

# possible to specify pre or post commands of updating
[root@dlp ~]# vi /etc/sysconfig/certbot
# line 17 : possible to specify pre-commands
# An example to stop the MTA before updating certs would be
# PRE_HOOK="--pre-hook 'systemctl stop postfix'"
PRE_HOOK=""

# line 29 : possible to specify post-commands
# An example to restart httpd would be:
# POST_HOOK="--post-hook 'systemctl restart httpd'"
POST_HOOK=""
                    
                

Step [6]If you'd like to convert certificates to PKCS12 (PFX) format for Windows, do like follows.

                    
[root@dlp ~]# openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out dlp_for_iis.pfx
Enter Export Password:     # set any export password
Verifying - Enter Export Password: