I prefer to use the official certbot packages than use a third party script. The certbot + apache certbot plugin witll automatically edit the Apache configuration files as well as generate the certificate with one single command:
The wizard on that site will even provide you with the exact commands you need. Other alternatives are just generating a certificate and editing the Apache config files manually which is also straightforward enough.
And if you use Cloudflare like I do, then it’s even possible to generate wildcard certificates based on your Cloudflare DNS entries. I think there are other certbot plugins that also allow this.
Absolutely, no problem, use whatever is convenient.
I use acme.sh as it is a self-contained bash-script without any funky python dependencies as I have some platforms where all those dependencies aren’t always available.
I just thought it might be interesting to know how to integrate external certificates in Katello, the tool to generate the certificates is really secondary.
Yeah, I use dehydrated (another pure shell implementation) to get my certs, using the DNS protocol, and then use ansible to push those certs to my websites, email servers, nntp servers, homeassistant, grafana, mqtt… I think I have something like 18 different endpoints using these certs, and not all of them are internet visible (hence using DNS).
I’ve been using certbot + LetsEncrypt for a year now, things are reasonably ok.
I’ve had some annoying but minor permission issues to handle, but the overall process is reasonably clean and robust.
I think it’s worth emphasizing that a “real” (as opposed to self-signed) certificate is a necessity for pretty much anything visible on today’s web. It’s also a requirement for doing pretty much anything with auth0 or other authentication providers. I use React for my front-ends, nodejs for my middleware, and Neo4J (enterprise edition) for my database. It’s hard enough to get and keep all the https and secure connections working with real certificates – for me, it was impossible while I was attempting to use self-signed certs.
The web is chock full of “tutorials” and examples that start with self-signed certificates and lead trusting and vulnerable newcomers deep into a maze of twisty tiny passages that all look the same.
I’ve had great success by starting with LetsEncrypt and just following their straight-forward documentation.
6, Now for the tricky part, we need to replace the server_ca certificate in the consumer package.
Install the katello-ca-consumer-katello.bluapp.net-1.0-1.src.rpm with # rpm -Uvh /var/www/html/pub/katello-ca-consumer-katello.bluapp.net-1.0-1.src.rpm
Download the server ca certificate from the server, in Firefox you can go to the server, check the certificate and there you have an option to download the server pem-file. Download it and copy the contents.
Edit the file: ~/rpmbuild/SOURCES/katello-rhsm-consumer and replace the the second certificate in the file, under the line: read -r -d '' KATELLO_SERVER_CA_DATA << EOM || true
Change the directory to ~/rpmbuild/SOURCES/
Recompile the RPM with: # rpmbuild -ba katello-ca-consumer-<FQDN>.spec --define 'name katello-ca-consumer-<FQDN>' --define 'release <RELEASE>'
Copy the generated srpm and rpm to /var/www/html/pub and update the soft-link katello-ca-consumer-latest.noarch.rpm to point to the new rpm-file.
7, Now it’s possible to download it to the newly installed host and use subscription-manager to register and dnf to access the repos.
Hellow, I am writing to seek assistance regarding the configuration of Certbot and Apache on my server. I am currently experiencing difficulties with Certbot’s inability to properly configure Apache and update the necessary directives with correct file paths for SSL certificate configuration.
To provide some background, I have a project that involves a web server running on Rocky Linux. I followed the recommended steps to install Certbot and generate an SSL certificate using the “sudo certbot --apache” command. While the certificate generation was successful, Certbot does not seem to be updating the Apache configuration as expected. The directives related to SSL certificate paths remain unchanged with placeholder paths:
I have reviewed the Apache configuration file at /etc/httpd/conf/httpd.conf and examined the Certbot logs located at /var/log/letsencrypt/letsencrypt.log. However, I have not found any specific errors or issues that would explain why Certbot is failing to update the configuration.
I kindly request your assistance in troubleshooting this problem. I would greatly appreciate any insights or guidance regarding why Certbot is not configuring Apache correctly and updating the directives with the appropriate file paths. Additionally, any suggestions or recommended steps to resolve this issue would be highly appreciated.
If there are any specific log files or additional information that would be helpful for diagnosing the problem, please let me know. Thank you in advance for your support, and I look forward to your response.
If the certbot command isn’t automatically updating it, just edit the files manually and replace the paths. You will find /etc/letsencrypt/live on your server and inside here with be something like myserver.mydomain.com depending on what FQDN you generated the certificates for. Those paths in your Apache config will then look like:
You can even use fullchain.pem instead of cert.pem, and then the third line with chain.pem can be deleted from the Apache config. In that case, it will look like:
The certbot website I linked previously only shows for CentOS, so whilst it should work and configure, perhaps something is not quite right. But as you see, it will take one minute of editing files to solve the problem.
ok thanks a lot i will try it!
Since you know the topic well with rocky Linux, maybe you can help me with this as well, I have a mistake here, I don’t know how to fix it, I’m walking in circles:
× httpd.service - The Apache HTTP Server -> failed (Result: exit-code) :
AH00526: Syntax error on line 70 of /etc/httpd/conf/httpd.conf:
Jul 19 23:48:22 RWEB-1 httpd[20933]: Invalid command 'AuthUserFile', perhaps misspelled or defined by a module not included in the server configuration
Jul 19 23:48:22 RWEB-1 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 19 23:48:22 RWEB-1 systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 19 23:48:22 RWEB-1 systemd[1]: Failed to start The Apache HTTP Server.
its here :
<Directory "/var/www/html/cgi-bin">
67 AllowOverride All
68 Options +ExecCGI
69 Require all granted
70 AuthUserFile "/var/www/html/.htpasswd"
71 </Directory>
i have this in my httpd.conf :
``LoadModule authz_core_module modules/mod_authz_core.so ....but i don't have any "authz_core"
here:
[root@RWEB-1 conf.modules.d]# ls -l /etc/httpd/conf.modules.d/
total 52
-rw-r--r--. 1 root root 3325 May 16 22:18 00-base.conf
-rw-r--r--. 1 root root 47 May 16 22:18 00-brotli.conf
-rw-r--r--. 1 root root 139 May 16 22:18 00-dav.conf
-rw-r--r--. 1 root root 41 May 16 22:18 00-lua.conf
-rw-r--r--. 1 root root 948 May 16 22:18 00-mpm.conf
-rw-r--r--. 1 root root 787 May 16 22:18 00-optional.conf
-rw-r--r--. 1 root root 1073 May 16 22:18 00-proxy.conf
-rw-r--r--. 1 root root 41 May 16 22:18 00-ssl.conf
-rw-r--r--. 1 root root 88 May 16 22:18 00-systemd.conf
-rw-r--r--. 1 root root 367 May 16 22:18 01-cgi.conf
-rw-r--r--. 1 root root 45 May 9 09:38 10-h2.conf
-rw-r--r--. 1 root root 57 May 9 09:38 10-proxy_h2.conf
-rw-r--r--. 1 root root 496 May 16 22:21 README
can you tell me how to fix this, I can’t start my server without it . its Rocky 9.2 et Server version: Apache/2.4.53 (Rocky Linux)
EDIT: by @iwalker please use formatting tools when posting to make posts easier reading thanks
As per the error, line 70 in the file mentioned has a syntax error which means it hasn’t been correctly formatted. You can use:
apachectl configtest
to ensure changes applied to Apache config files are correct or not. So you need to look at that line and fix it with the correct info. Assuming those numbers 67 - 71 appear in the config file, then delete them if they are showing at the beginning of all these lines (kinda guessing you copied/pasted it from somewhere).
