How to use cerbot on CentOS7

We will create a certificate for a subdomain of this blog, the first step is to create an A record on the DNS pointing to the machine that will be resolving the requests.

In google domains DNS manager I created

Project setup

Create a folder for the project from which the contents will be served, in my case the folder home will be under

/internet/domains/shame.donhk.dev

then configure your application server, I will use nginx for this, create a new subdomain and enable it to ensure it is working on port 80.

(venv3) [root@madaravm certbot]# curl -I http://shame.donhk.dev
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 12 Oct 2020 23:15:40 GMT
Content-Type: text/html
Content-Length: 1369
Last-Modified: Mon, 12 Oct 2020 23:02:09 GMT
Connection: keep-alive
ETag: "5f84e071-559"
Accept-Ranges: bytes

Installation

As run execute the below lines, if you already installed it before just execute the last 3 lines

yum install -y install python3-devel gcc augeas-libs openssl-devel libffi-devel \ redhat-rpm-config ca-certificates openssl
cd /home/$USER
git clone https://github.com/certbot/certbot
cd certbot
python tools/venv3.py
source venv3/bin/activate

Running Cerbot (DRY)

It is important to run a test prior the actual run

certbot certonly --webroot --webroot-path=/internet/domains/shame.donhk.dev  -d shame.donhk.dev --dry-run

Expected output

(venv3) [root@madaravm certbot]# certbot certonly --webroot --webroot-path=/internet/domains/shame.donhk.dev  -d shame.donhk.dev --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for shame.donhk.dev
Using the webroot path /internet/domains/shame.donhk.dev for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.

Running Cerbot (Prod)

 certbot certonly --webroot --webroot-path=/internet/domains/shame.donhk.dev  -d shame.donhk.dev

Expected output

(venv3) [root@madaravm certbot]# certbot certonly --webroot --webroot-path=/internet/domains/shame.donhk.dev  -d shame.donhk.dev
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for shame.donhk.dev
Using the webroot path /internet/domains/shame.donhk.dev for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:

All set, then just update the app server configuration to make it use the new certs.