The Certbot provides an easy way to generate Let’s Encrypt free certificates for all websites that support HTTP and serve their content over HTTPS. In this article, we will see how to use Certbot to automate the process of generating Let’s Encrypt certificates.

Step 1 – Installing Certbot

Most Linux systems have the certbot package under default package repositories. is a tool to obtain certificates from Let’s Encrypt and configure them on your web server. The Snap package is the easiest way for installing the certbot on the Ubuntu system.

Open a terminal and execute the below command to install certbot:

sudo snap install --classic certbot 

Once a new certbot version is available, Snap will auto-update the package.

Step 2 – Generate SSL Certificate with Certbot

Now, You can request SSL certificates from Let’s encrypt based on the web server. We have discussed 4 methods to get a new SSL certificate, that depend on which web server running on your system. Might be there is no web server running on the system.

So choose the correct method as per the environment:

No Web Server Running

In case, you don’t have any web server running on your system. You can --standalone option to complete the domain validation by stating a dummy web server. This option needs to bind to port 80 in order to perform domain validation.

sudo certbot certonly --standalone 



If you are running the certbot for the first time, it will prompt you to accept terms and provide an email address for sending notifications.

You can also provide the inputs at the command line, For example:

sudo certbot certonly --standalone -d example.com --staple-ocsp -m me@example.com --agree-tos  

Certbot with Apache

The systems running the Apache web server, execute the following command. This will list all the domains/sub-domains configured on your web server. Select appropriate numbers to request a certificate.

sudo certbot --apache 

This will read the Apache configuration files and list all the configured domain names. Enter the number of the domain you want to issue a certificate. You can input multiple comma-separated numbers.

Once the domain ownership is verified, the certificate will be issued and the Apache configuration file will be created with SSL settings.

Certbot with Nginx

For the systems running the Nginx web server, use the below command to request the SSL certificates.

sudo certbot --nginx -d example.com -d www.example.com 

Some Other Web Server Running

For the system having any other web servers running except Apache or Nginx. Then you can get the certificate only and configure them manually.

This command will ask you for the domain name and document root for the domain.

sudo certbot certonly --webroot 

You can also pass the domain name and/or document root on the command line.

sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com 

While using the above commands, the domain must be pointed to the server in DNS. Also, ensure that /.well-known/acme-challenge is served by the web server.

Step 3 – View Certificate Files

Once a certificate is issued by the Lets Encrypt authority. All the certificate files are created under the /etc/letsencrypt directory. If your domain name is example.com, then the files will be created at the below location.

ls -l /etc/letsencrypt/live/example.com/ 

Output:
-rw-r--r-- 1 root root 692 Mar  9 06:59 README
lrwxrwxrwx 1 root root  37 Sep  6 09:56 cert.pem -> ../../archive/example.com/cert1.pem
lrwxrwxrwx 1 root root  38 Sep  6 09:56 chain.pem -> ../../archive/example.com/chain1.pem
lrwxrwxrwx 1 root root  42 Sep  6 09:56 fullchain.pem -> ../../archive/example.com/fullchain1.pem
lrwxrwxrwx 1 root root  40 Sep  6 09:56 privkey.pem -> ../../archive/example.com/privkey1.pem

Change example.com with your domain name to get correct files.

Conclusion

Let’s Encrypt is a certificate authority that provides free SSL certificates for public websites. We can issue certificates for any number of domains. The SSL certificates are issued for 3 months only, then you need to renew it. Certbot is a command line utility that helps to manage Let’s Encrypt SSL certificates. With the help of certbot we can issue a new certificate, and renew and delete it.

Hope this tutorial helps you to work with Certbot for managing the SSL certificate on your system.

The post How to Generate Let’s Encrypt SSL using Certbot appeared first on TecAdmin.

The default certbot stores all the client certificates under the below-mentioned directories. We are not recommending you delete files manually. In this tutorial, we will discuss deleting unused SSL certificates using the Certbot command line.

• /etc/letsencrypt/live
• /etc/letsencrypt/renewal
• /etc/letsencrypt/archive

Delete a Let’s Encrypt SSL Certificate

The Certbot also provides you an option to delete certificates automatically for you. To delete an SSL certificate, run the following command.

sudo certbot delete 

This command will show you an index from which you can select the domain name to delete the associated certificate. Just type the index number of the domain name, that you want to delete and hit enter. The issued certificate including other associated files will be deleted.

You can also specify the domain name with the certbot command as below. This could be helpful if the domain name does not appear in the index list.

sudo certbot delete --cert-name example.com

That’s it.

Conclusion

This tutorial helped you to delete a Let’s Encrypt SSL certificate using certbot command-line tool.

The post How to Delete a Let’s Encrypt Certificate using Certbot appeared first on TecAdmin.

This tutorial will help you to how to install Apache Tomcat 10 on Debian 10 Buster Linux system.

Prerequisites

A running Debian 10 system with sudo privileged account shell access.

You can get cheaper instances from DigitalOcean hosting.

Step 1 – Install Java

Tomcat 10 required JRE 8 or higher version installed on your system. If your system doesn’t have JRE installed, Use the following commands to install OpenJDK to fulfil the requirements.

sudo apt update 
sudo apt install default-jdk -y 

Check the current active Java version:

java -version 

openjdk 11.0.9.1 2020-11-04
OpenJDK Runtime Environment (build 11.0.9.1+1-post-Debian-1deb10u2)
OpenJDK 64-Bit Server VM (build 11.0.9.1+1-post-Debian-1deb10u2, mixed mode, sharing)

Step 2 – Create Tomcat User

It is good to have a dedicated user account for running a Tomcat server. To create a new user with the name “tomcat”, which is recommended for security purposes mainly for production deployments.

To create a new account, type:

sudo useradd -m -d /opt/tomcat -U -s /bin/false tomcat 

The above command will create a user and group with the name “tomcat” in your system.

Step 3 – Install Tomcat on Debian 10

The Apache Tomcat development team releases the latest version of Tomcat from time to time. So it will be good check download latest Tomcat version from the official download server. Use the below command to download Tomcat 10.

wget https://dlcdn.apache.org/tomcat/tomcat-10/v10.0.16/bin/apache-tomcat-10.0.16.tar.gz 

After downloading the archive file, extract the file under the tomcat home directory /opt/tomcat with skipping parent folder.

sudo tar xzvf apache-tomcat-10*tar.gz -C /opt/tomcat --strip-components=1 

Next, set the proper file permissions.

sudo chown -R tomcat:tomcat /opt/tomcat/ 
sudo chmod -R u+x /opt/tomcat/bin 

You have now the latest Tomcat application on your system.

Step 4 – Create Tomcat User

Now, configure your tomcat with user accounts to secure access of admin/manager pages. To do this, edit conf/tomcat-users.xml file in your editor and paste the following code inside <tomcat-users> </tomcat-users> tags. We recommend changing the password in the below configuration with high secured password.

sudo nano /opt/tomcat/conf/tomcat-users.xml 

Add the following values. Make sure to change the password for admin and manager access.

<!-- user manager can access only manager section -->
<role rolename="manager-gui" />
<user username="manager" password="_SECRET_PASSWORD_" roles="manager-gui" />

<!-- user admin can access manager and admin section both -->
<role rolename="admin-gui" />
<user username="admin" password="_SECRET_PASSWORD_" roles="manager-gui,admin-gui" />

Save file and close.

Step 5 – Enable Remote Tomcat Access

The default Tomcat manager and host-manager applications are accessible for localhost only. To allow access to these pages from the remote system, you need to modify the following configuration files.

You can either allow specific remote system or allow all. Edit the context.xml file for manager and host manager application:

sudo nano /opt/tomcat/webapps/manager/META-INF/context.xml

Comment out the section added for IP address restriction to allow connections from anywhere.

<Context antiResourceLocking="false" privileged="true" >
  <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
                   sameSiteCookies="strict" />
  <!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> -->
  ...
</Context>

Also, edit the context.xml for the host-manager interface and comment on the similar section as above.

sudo nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

Save all files and close them.

Step 6 – Create a Tomcat Systemd Unit File

Tomcat provides bash scripts to start, stop service. But, to make it simple, create a start-up script to manage Tomcat as systemd service. Let’s create a tomcat.service file with the following content:

sudo nano /etc/systemd/system/tomcat.service 

[Unit]
Description=Tomcat
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

Reload the systemd daemon service to load newly create files.

sudo systemctl daemon-reload 

Now, start the Tomcat application for the first time.

sudo systemctl start tomcat.service 

Next, enable the tomcat service to auto-start for subsequent system boots. This is more important for the production deployments.

sudo systemctl enable tomcat.service 

As of now, the tomcat application is running on your system. You can verify the service status by executing the command as below. Make sure the status is showing “active (running)“.

sudo systemctl status tomcat.service 

That’s it. You have successfully configured Tomcat 10 on your Debian system.

Step 7 – Access the Tomcat Web Interface

The default Tomcat server runs on port 8080. As you have configured Tomcat on your system, you can access the web interface from your system. You can access tomcat interfaces by entering your server’s IP address or a domain name pointed to that server, followed by port 8080 in your browser:

Change tecadmin.local with your server ip or domain or localhost.

http://tecadmin.local:8080/

You will see the page like below:

Tomcat Manager App is a web application packaged with the Tomcat server application. The Manager interface provides us with the basic functionality we need to manage our deployed web applications.

Click Manager App button home page or directly type /manager in browser url of main Tomcat server to access it.

http://tecadmin.local:8080/manager/

Tomcat Host Manager App is another web application packaged with Tomcat server application. Which is used to creates/removes Virtual Hosts within the Tomcat service. A Virtual Host allows you to define multiple hostnames on a single server.

Click Host Manager button home page or directly type /host-manager url in main Tomcat server to access it.

http://tecadmin.local:8080/host-manager/

Conclusion

Congratulations, You have a running Tomcat server on a Debian system. You can deploy a Java-based application using a tomcat server.

You may also need to create Virtualhosts in Tomcat or Secure your Tomcat applications with Let’s Encrypt SSL certificate.

The post How to Install Tomcat 10 on Debian 10 appeared first on TecAdmin.

Security first should be the thumb rule for any organization to secure your hard-working code from hackers. It becomes more important while traveling application data over public networks. For this situation, we need to implement end-to-end encryption using TLS.

This tutorial helps you to issue a new let’s encrypt SSL certificate and configure it with the Tomcat web server.

Prerequisites

This tutorial doesn’t cover the Tomcat installation. We are assuming that you already have a Tomcat server running on your system. You can visit Tomcat installation tutorials.

Step 1 – Installing Certbot

Certbot is a command-line utility to create and manage Let’s Encrypt SSL certificates. Which is available for most of the operating systems.

Debian-based users can install certbot by running the following command. Other operating system users can install it from here.

sudo apt install certbot 

Next, create the SSL certificate for your domain. Make sure the domain is already pointed to the tomcat server from DNS. For this tutorial, I am using the tomcat.tecadmin.net subdomain.

sudo certbot certonly --standalone -d tomcat.tecadmin.net 

Once the certificate issued, you can see all the related files at below location:

sudo ls /etc/letsencrypt/live/tomcat.tecadmin.net/ 

Output
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

These are all the files you need for the SSL certificate setup.

Step 2 – Configure Tomcat with Let’s Encrypt SSL

Next, configure your Tomcat server to listen on the secure protocol. By default, Tomcat uses 8443 to listen for SSL/TLS requests.

Copy SSL certificate’s and private key files under /opt/tomcat/conf directory:

cd /etc/letsencrypt/live/tomcat.tecadmin.net 
sudo cp {cert,chain,privkey}.pem /opt/tomcat/conf/ 

Then edit the conf/server.xml file available under the Tomcat home directory. In my case Tomcat is installed under /opt/tomcat, So use the below command to edit the configuration file.

sudo nano /opt/tomcat/conf/server.xml 

Remove <!-- and --> to uncomment the following section in configuration file. Also add the certificate section with your certificate files. The configuration will be look like:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateFile="conf/cert.pem"
                 certificateKeyFile="conf/privkey.pem"
                 certificateChainFile="conf/chain.pem" />
        </SSLHostConfig>
    </Connector>

Press CTRL+O to save changes and CTRL+X to exit from the editor.

Now, restart the Tomcat service to apply changes.

sudo systemctl restart tomcat 

That’s it. You have configured Let’s Encrypt SSL with Tomcat.

The next step is to verify the setup.

Step 3 – Verify Tomcat SSL Certificate

Default tomcat with SSL listens on 8443 port. Use your domain with an 8443 port to access Tomcat over the secure socket layer.

• https://tomcat.tecadmin.net:8443

That’s it. You have successfully configured Let’s Encrypt SSL with Tomcat.

Step 4 – Renew SSL Certificate

The default Let’s Encrypt SSL certificates expire in 90 days. You can easily refresh your SSL certificate anytime within 30 days of expiration.

Type the below command to refresh the SSL certificate.

certbot certonly --standalone -d tomcat.tecadmin.net 

Once successfully renewed. Copy the newly generated certificate files to the Tomcat conf directory.

cd /etc/letsencrypt/live/tomcat.tecadmin.net 
cp {cert,chain,privkey}.pem /opt/tomcat/conf 

Restart the Tomcat service to apply changes.

sudo systemctl restart tomcat 

Conclusion

In this tutorial, You have learned to set up the Let’s Encrypt SSL certificate with the Tomcat web server. Additionally provides you with steps to renew your SSL certificate.

The post How To Secure Tomcat with Let’s Encrypt SSL appeared first on TecAdmin.

Lets Encrypt is a free and open certificate authority by the non-profit Internet Security Research Group (ISRG). Its provides free ssl certificates for the domains valid for 90 days. You can easily renew certificates before expiration manually or schedule it to renew automatically.

This tutorial will describe you to setup Let’s Encrypt SSL certificate with Webmin hostname.

Change Webmin Hostname

First, make sure you have a valid domain name configured with Webmin. Choose a domain name (subdomain) for Webmin and update dns entry to point domain to Webmin server.

Change the system hostname from webmin dashboard. Login to webmin using admin account access:

This will change the hostname of the system, Also make an entry in /etc/hosts file to bind hostname with localhost ip address.

Configure Let’s Encrypt Certificate in Webmin

Now, you have configured a fully qualified domain as system hostname. Again make sure the domain is properly pointed to your Webmin server ip address. You can use online tool to verify dns records.

Let’s configure Let’s Encrypt SSL for Webmin:

1. Go to Webmin (in left sidebar)
2. Click Webmin Configuration
3. Click on “SSL Encryption” as shown in screenshot

   

4. Go to “Let’s Encrypt” tab”
5. Enter your hostname under “Hostnames for certificate”. For example, I have used webmin.tecadmin.net.
6. Select “Other directory” Under Website root directory for validation file and set path as “/var/www/html”
7. Under “Months between automatic renewal”, set value to 1. This allows ssl to be auto renews before 1 month of expiry.

   

8. Verify all details again and press Request Certificate button
9. On successful, you will see the result like below.
   
10. All done

Let’s Encrypt SSL certificate is successfully configured for the Webmin hostname.

Test SSL Certificate

Access the Webmin interface with https protocol using the system hostname on port 10000. You will see a valid ssl certificate in your browser.

For example: https://webmin.tecadmin.net:10000

Conclusion

This tutorial described you to configure Let’s Encrypt SSL certificate with Webmin hostname.

You can also verify the SSL certificate using online ssl checker tool. Make sure to enter full url with port.

The post Adding Let’s Entrypt SSL to Webmin Hostname appeared first on TecAdmin.

This tutorial will help you to secure Gitlab service with Let’s Encrypt SSL certificate with enabling the auto renew feature. If you are going with a fresh installation have a look at below guides.

• Install and Configure Gitlab on Ubuntu 20.04
• Install and Configure Gitlab on CentOS 8

Prerequisites

Login to your Gitlab system with a sudo privileged account.

Also make sure to create an A Record points your domain/subdomain to the public IP address of your Gitab server. It is recommended to complete the let’s encrypt validation for issuing a new certification. For example, You need to configure your Gitlab server to access with https://gitlab.tecadmin.net. So make A record in DNS for gitlab.tecadmin.net pointing to server ip address.

Configure Let’s Encrypt SSL with Gitlab

Gitlab keeps the configuration files under /etc/gitlab directory. You can edit the main configuration file /etc/gitlab/gitlab.rb in a text editor of your choice.

sudo vim /etc/gitlab/gitlab.rb 

Make the following changes:

• First change the external_url setting with domain start with https.

  external_url "https://gitlab.tecadmin.net"

• Add or update the following entries to the configuration file. Set letsencrypt[‘enable’] to true, this will request a SSL certificate and configure to the Gitlab instance. You can also provide an optional contact email used by lets encrypt authority to send alerts for the ssl certificates.

  # Enable the Let's encrypt SSL
  letsencrypt['enable'] = true
  
  # This is optional to get SSL related alerts
  letsencrypt['contact_emails'] = ['email@your-domain.com']

• Also configure Gitlab to renew SSL certificate automatically on a regular interval.

  # Enable the auto renew feature
  letsencrypt['auto_renew'] = true
  
  # This example renews every 7th day at 12:30
  letsencrypt['auto_renew_hour'] = "12"
  letsencrypt['auto_renew_minute'] = "30"
  letsencrypt['auto_renew_day_of_month'] = "*/7"

Save the configuration file and exit from editor.

Next, run the reconfigure command to apply changes to Gitlab server.

sudo gitlab-ctl reconfigure 

This will take some time to complete the installation. At the end, you will see a message “gitlab Reconfigured!” on your screen.

Verify SSL

Access the Gitlab web interface in a web browser. This will automatically redirects you to secure URL.

That’s it. You have successfully configured let’s encrypt SSL on Gitlab.

Conclusion

In this tutorial, you have learned to configure Let’s Encrypt SSL certificate on Gitlab instance. Also enable to auto renew certificate on a regular interval.

The post How to Secure GitLab Server with Let’s Encrypt SSL appeared first on TecAdmin.

This tutorial helps you to install and use Certbot (A Let’s Encrypt client) on Ubuntu 20.04 LTS Linux system.

Prerequisites

You must fulfill the followings:

• A running Ubuntu 20.04 system with sudo privileged account access.
• Apache web server with virtual host configured with a real domain or subdomain.
• Domain or sub-domain must be pointed correctly to web server IP address.

Step 1 – Installing Certbot

Certbot is a tool to obtain certificates from Let’s Encrypt and configure them on your web server. The Snap package is the easiest way for installing the certbot on the Ubuntu system.

Open a terminal and execute the below command to install certbot:

sudo snap install --classic certbot 

Step 2 – Generate SSL Certificate

Now, You can request SSL certificates from Let’s encrypt based on the web server.

1. Apache – The systems running Apache web server, execute the following command. This will list all the domains/sub-domains configured on your web server. Select appropriate numbers to request a certificate.

   sudo certbot --apache 
   

2. Nginx – For the systems running Nginx web server, use below command to request for the SSL certificates.

   sudo certbot --nginx 
   

3. Get Certificate Only – For the system having any other web servers running except Apache or Nginx. Then you can get the certificate only and configure them manually.

   This command will ask you for the domain name and document root for the domain.

   sudo certbot certonly --webroot 
   

4. No Web Server – The systems have no web server running, can also request a SSL certificate. The below command will ask you for the domain name and start a temporary web server on port 80 to complete the verification.

   sudo certbot certonly --standalone 
   

While using the above commands, the domain must be pointed to the server in DNS. Also, ensure that /.well-known/acme-challenge is served by the web server.

Step 3 – Test SSL

Once the SSL certificate is installed on the web server, visit https://your-domain.com/ in a web browser and look for the SSL lock icon in the URL bar. You can also do a security scan for the SSL setup on https://www.ssllabs.com/ssltest/.

Step 3 – Renew SSL Certificate

A Let’s Encrypt certificate is issued for the 3 months only. You need to renew the certificate before 30 days of expiry. Certbot allows you a hassle-free renewal just by running a single command.

Run the below command to renew all the certificates on that system.

sudo certbot renew 

You can also run a dry run without actual renewal. This will help you to test if SSL renewal performs well.

sudo certbot renew --dry-run 

Conclusion

In this tutorial, you have learned to install certbot on the Ubuntu system. Also helped you to create new certificates for your web servers.

The post How to Setup Let’s Encrypt (Certbot) on Ubuntu 20.04 appeared first on TecAdmin.

Prerequisites

• Running Fedora system with shell access
• A domain/sub domain pointed to server IP address via public DNS server. For this tutorial, we use webhost.tecadmin.net.

Step 1 – Install Apache

First of all, Install the Apache webserver on your Fedora system. The default package repositories contain Apache packages. You can directly install them using the following command:

sudo dnf install httpd httpd-tools mod_ssl 

• How to Install LAMP on Fedora

Step 2 – Create VirtualHost in Apache

For this tutorial, I have created an index.html file under the default document root. Similarly, you can place your application under the document root of your domain.

sudo echo "<h2>Welcome to Secure TecAdmin.net</h2>" > /var/www/html/index.html 

After that, create a VirtualHost configuration file binding with port 80.

sudo vim /etc/httpd/conf.d/webhost.tecadmin.net.conf 

<VirtualHost *:80>
    ServerAdmin admin@example.com
    ServerName webhost.tecadmin.net
    DocumentRoot /var/www/html
    <Directory /var/www/html>
        Allowoverride all
    </Directory>
</VirtualHost>

Save and close the configuration file. Then restart the Apache service to reload the configuration file.

sudo systemctl restart httpd 

Step 3 – Setup Let’s Encrypt (Certbot) Client

The Certbot ACME is a client application recommended by Let’s Encrypt for systems with shell access. It provides hassle-free automation of certificate issuance, installation, and renewal.

You can install the certbot package along with certbot plugin for Apache using following command:

sudo dnf install python3-certbot-apache 

Above command will add certbot utility in your system. Execute the below command to get more help about certbot command.

sudo certbot -h all 

Step 4 – Create Let’s Encrypt Certificate

Now, you can request let’s encrypt to issue an SSL certificate for your domain. You need to run the certbot command for the Apache server as following:

sudo certbot --apache 

This will list all the virtual hosts configured with Apache on current server. Select the appropriate number with the comma separated. See below screenshot:

Let’s encrypt will start the verification process for your domain. Make sure the domain you selected is pointed to this server via the public DNS server.

On successful verification, SSL will be issued for your domain. A separate SSL VirtualHost configuration file will be created for your domain.

Please choose whether or not to redirect HTTP traffic to HTTPS:

• 1: No redirect – Make no further changes to the webserver configuration.
• 2: Redirect – Make all requests redirect to secure HTTPS access.

Enter a number of your choice and press enter. You can also change it latest by directly editing configuration files.

Once the SSL configuration completed successfully, you will see a congratulations message on your screen.

Step 5 – Verify Certificate

The Let’s Encrypt SSL has been successfully configured for your domain. This certificate is issued for 3 months only, You can renew it before expiration.

Let’s check the certificate by accessing your site in a web browser.

Conclusion

You have successfully secured your website with free Let’s Encrypt SSL certificate. Follow our next tutorial to setup Let’s Encrypt Auto SSL renewal with crontab. The Fedora systems will have default TLS 1.2 and TLS 1.3 enabled.

The post How to Setup Let’s Encrypt SSL with Apache on Fedora appeared first on TecAdmin.

In order to use an SSL certificate, You must have a valid domain or a subdomain name. Also, the domain must the pointed to the Windows server through the DNS server. For this tutorial, I have created a subdomain “secure.tecadmin.net” and pointed to our Windows system.

This tutorial will help you to install the Let’s Encrypt SSL certificate with IIS on Windows Server 2019/

Useful tutorials:

• How to Install IIS on Windows
• How to Create Site in IIS via command line
• Steps to Redirect HTTP to HTTPS in IIS

Download Win-ACME Tool

Win-ACME is a simple ACME windows client for use with Let’s Encrypt SSL certificate authority.

First of all, download the latest Windows ACME Simple (WACS) application. This can be downloaded from the official github releases page. Use the below link to visit download page:

https://github.com/win-acme/win-acme/releases,

At the time of writing this post, the downloaded archive is win-acme.v2.0.3.206.zip.

Create A New SSL Certificate

1. Once the Win-ACME archive file is downloaded, extract it on your Windows system. Go to the extracted directory and run wacs.exe as an administrator. The administrator privileges are required to access and modify IIS settings.

2. It will open a terminal window and show you the multiple options on the screen. Select Create new certificate (simple for IIS) by pressing “N’.

3. This will show you the sites configured in IIS. Choose one or multiple sites with comma-separated numbers to issue an SSL certificate.

4. Select 1 for how do you want to pick the bindings and press enter.

Then Just press enter for Include bindings:

5. Accept the terms by entering “yes” and press enter to continue. Let’s encrypt will initiate the domain authorization process over HTTP. Once the autorization completed successfully, the SSL certificate is issued.

This will also associate SSL certificates with site bindings in IIS.

Test Certificate and Binding

Open the website over HTTPS protocol in a web browser. You will see a valid SSL certificate in the browser. You can also verify SSL with ssllabs free tool. This will also scan for security settings on your server.

You can also edit the site bindings to view if SSL is properly configured.

Conclusion

This tutorial helped you for creating a new SSL certificate from Let’s encrypt and configure it on the IIS website.

The post How to Install Let’s Encrypt SSL with IIS on Windows Server 2019 appeared first on TecAdmin.

Prerequisites

• Running CentOS 8 machine with shell access
• Follow initial server setup steps for newly installed machine
• A domain/sub domain pointed to server IP address via public DNS server. For this tutorial, we use webhost.tecadmin.net.

Step 1 – Install Apache

First of all, Install the Apache server on your CentOS 8 machine. The Apache packages are available under the default repositories.

sudo dnf install httpd httpd-tools mod_ssl

• How to Install Apache on CentOS 8
• How to Install Apache/PHP-FPM on CentOS 8

Step 2 – Create VirtualHost with Port 80

For this tutorial, I have created a index.html file under the default document root. Similarly, you can place your application under the document root of your domain.

sudo echo "<h2>Welcome to Secure TecAdmin.net</h2>" > /var/www/html/index.html

After that, create a VirtualHost configuration file binding with port 80.

sudo vim /etc/httpd/conf.d/webhost.tecadmin.net.conf

<VirtualHost *:80>
    ServerAdmin admin@example.com
    ServerName webhost.tecadmin.net
    DocumentRoot /var/www/html
</VirtualHost>

Save and close the file. Restart Apache service to reload the configuration.

sudo systemctl restart httpd.service

Step 3 – Setup Let’s Encrypt (Certbot) Client

The Certbot ACME is a client application recommended by the Let’s Encrypt for systems with shell access. It provides hassle-free automation of the certificate issuance, installation, and renewal.

You can download the certbot-auto script from the official download page and put it under /usr/sbin directory. Use the following command to do it.

sudo wget https://dl.eff.org/certbot-auto -O /usr/sbin/certbot-auto
sudo chmod a+x /usr/sbin/certbot-auto

You also need to installed all dependency for the certbot to make it work. The below command will install it dependencies on your system.

sudo certbot-auto --os-packages-only

Step 4 – Create Let’s Encrypt Certificate

Now, you can request Lets encrypt to issue a SSL certificate for you domain. You need to run the certbot-auto command for Apache server as following:

sudo certbot-auto --apache

This will list all the virtual hosts configured with Apache on current server. Select the appropriate number with the comma separated. See below screenshot:

The Let’s encrypt will start the verification process for your domain. Make sure the domain you selected is pointed to this server via the public DNS server.

On successful verification, SSL will be issued for your domain. A separate SSL VirtualHost configuration file will be created for your domain.

Please choose whether or not to redirect HTTP traffic to HTTPS:

• 1: No redirect – Make no further changes to the webserver configuration.
• 2: Redirect – Make all requests redirect to secure HTTPS access.

Enter a number of your choice and press enter. You can also change it latest by directly editing configuration files.

Once the SSL configuration completed successfully, you will see a congratulations message on your screen.

Step 5 – Verify Certificate

The Let’s Encrypt SSL has been successfully configured for your domain. This certificate is issued for 3 months only, You can renew it before expiration.

Let’s check the certificate by accessing your site in a web browser.

Conclusion

You have successfully secured your website with free Let’s Encrypt SSL certificate. Follow our next tutorial to setup Let’s Encrypt Auto SSL renewal with crontab. The CentOS 8 systems will have default TLS 1.2 and TLS 1.3 enabled.

The post How to Setup Let’s Encrypt SSL with Apache on CentOS 8 appeared first on TecAdmin.