Create: let's encrypt certificate + httpd +rocky linux 9

I would like to ask for a little help on creating a certificate on the Rocky Linux 9 + Lets Encrypt server.

I installed httpd (apache), I have access via ssh with root, firewalld enabled on ports 80 and 443, I already have a lets encrypt certificate, but I can’t find what’s missing for the certificate to be fixed to my URL.

command:
certbot certificates
Expiry Date: 2024-12-22 13:17:24+00:00 (VALID: 89 days)

certbot plugins

Saving debug log to /var/log/letsencrypt/letsencrypt.log

• standalone
  Description: Runs an HTTP server locally which serves the necessary validation
  files under the /.well-known/acme-challenge/ request path. Suitable if there is
  no HTTP server already running. HTTP challenge only (wildcards not supported).
  Interfaces: Authenticator, Plugin
  Entry point: EntryPoint(name=‘standalone’,
  value=‘certbot._internal.plugins.standalone:Authenticator’,
  group=‘certbot.plugins’)

• webroot
  Description: Saves the necessary validation files to a
  .well-known/acme-challenge/ directory within the nominated webroot path. A
  seperate HTTP server must be running and serving files from the webroot path.
  HTTP challenge only (wildcards not supported).
  Interfaces: Authenticator, Plugin
  Entry point: EntryPoint(name=‘webroot’,
  value=‘certbot._internal.plugins.webroot:Authenticator’,
  group=‘certbot.plugins’)

standalone, webroot.
shouldn’t there be apache too?

service httpd status
Server configured, listening on: port 443, port 80

If you need any information, I am at your disposal.

The worst part is that I don’t know what could be the reason why the lets encrypt certificate is not being accepted. I looked at some tutorials and it is very simple to create the certificate, at least it should be. lol

Hi @etpi

Have you looked here? This procedure should work for RL 8 or 9.

I think what you may be missing is the additions of the cert to your httpd.conf file, which is documented in this procedure.

Thanks,
Steve

I had done it through a link, but it still doesn’t get the lets encrypt certificate, the “certificate is not valid” and it is valid for 1 year. lol
I was even in doubt about how I did it. lol
I’m going to remove it and generate a new one.

certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

• Processing /etc/letsencrypt/renewal/bacana.etpi.com.br.conf

• Simulating renewal of an existing certificate for bacana.etpi.com.br

• Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/bacana.etpi.com.br/fullchain.pem (success)

should I generate a certificate using:

sudo certbot certonly --standalone -d bacana.etpi.com.br

or

sudo certbot certonly --apache -d bacana.etpi.com.br

First, a “standalone” certificate is often for a server with no web access. It creates a temporary server to validate the certificate and once validated, it is finished with the web server it creates until a renewal. A mail server would be an example of a server that would not normally need or run port 80, but might need an SSL (would these days).

If you are running a web server on “bacana.etpi.com.br” then “standalone” is not what you want. You would want the --apache certificate. You aren’t providing your host configuration, however, so how are you implementing the certificate within your httpd.conf file? I’m specifically asking about these lines from the documentation document I pointed you to:

SSLCertificateFile /etc/letsencrypt/live/your-server-hostname/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your-server-hostname/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/your-server-hostname/fullchain.pem

I generated the certificate with --apache and placed the generated certificates on my virtualhost bacana.etpi.com.br.conf (sites-available)

virtualhost:
/etc/letsencrypt/live/bacana.etpi.com.br/fullchain.pem
/etc/letsencrypt/live/bacana.etpi.com.br/privkey.pem

and even so, the certificate you generated is valid for 1 year.

However, there must be something missing in the configuration that I can’t find, httpd.conf could it be that something is missing?

Do you have any tips or files?

You have to have the fullchain.pem on both the SSLCertificateFile line AND the SSLCertificateChainFile line. It isn’t apparent from what you posted, which you are applying the fullchain.pem to, but it needs to be BOTH of those lines.

virtualhost (bacana.etpi.com.br.conf)

    SSLCertificateFile /etc/letsencrypt/live/bacana.etpi.com.br/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/bacana.etpi.com.br/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/bacana.etpi.com.br/fullchain.pem

it even generated a new certificate within my virtualhost (bacana.etpi.com.br.conf) like the lines:

#SSLCertificateFile /etc/letsencrypt/live/bacana.etpi.com.br/fullchain.pem

#SSLCertificateKeyFile /etc/letsencrypt/live/bacana.etpi.com.br/privkey.pem

image990×594 14.4 KB

@etpi Thank you for including this additional information. I don’t believe the error has anything to do with your certificate. I’d take a look at file permissions in your Document root to start. I’m assuming that your webserver runs under the user and group of apache. Verify that and then verify the owner and permissions of the files in your Document root. I think you’ve been generating a good certificate every time.

To help determine the problem, take a look at the access.log and error.log for httpd:

/var/log/httpd/error.log
/var/log/httpd/access.log

You may have a log configured for your virtualhost. Do you have something like this in your virtualhost configuration:

CustomLog "/var/log/httpd/com.yourdomain.www-access_log" combined
ErrorLog  "/var/log/httpd/com.yourdomain.www-error_log"

If so, check those logs as well.
Hopefully, this will give you some clues.

Steve

Yesterday I managed to locate my error. lol
I regenerated Openssl:
openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 730 -out /etc/pki/tls/certs/httpd.crt

After doing this, it picked up the lets encrypt certificate again.

image1083×618 19.5 KB

However, when I tried to generate a new certificate for a new environment, it reports a new certificate error. In fact, I’m changing the server environment (website) and I’m generating the lets certificate on it, but it gives the following error:

image1269×240 5.51 KB

sudo certbot --apache -d demo.topa.webgestio.com.br and sudo certbot certonly --apache -d demo.topa.webgestio.com.br

Now I’m trying to understand the reason for the error. I changed the IP environment and ran the certificate, it should work, right? lol

The error message says it needs to access the listed url from the internet. It seems that certbot receives 403 Forbidden from the said address.
It means that either the user apache running your webserver is not allowed to access the file, so check file permissions.
The other reason could be you made this directory inaccesible in your httpd config file for this vhost.

This is incorrect. The SSLCertificateChainFile directive is obsolete as of apache version 2.4.8 and should not be used. See mod_ssl - Apache HTTP Server Version 2.4

@pajamian Thank you for correcting me!

Apache itself now has support for Let’s Encrypt via the mod_md module. Here’s an old blog post from Red Hat using Red Hat 7 that used this feature using Software Collections, however it’s now part of the standard distribution so you’ll just need to run: yum install mod_md to install it first. Ignore any references to httpd24 in the article:

I use this way:
in apache config

<VirtualHost *:443>
    ServerAdmin admin@my.domain.com
    DocumentRoot /path/my.domain.com
    ServerName my.domain.com
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/my.domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.com/privkey.pem
    ErrorLog /var/log/my_domain_com_error_log
    CustomLog /var/log/my_domain_com_access_log common
</VirtualHost>

and to renew certificate I use this script
you do not need iptables command if you already have 80 port openned

systemctl stop httpd
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
setenforce 0
certbot certonly --standalone -d my.domain.com
setenforce 1
iptables -D INPUT 1
systemctl start httpd

Or SELinux is blocking access… I would try with setenforce 0 to see if that works, and if everything is good then work out the necessary rules to let this work with SELinux enabled.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.