Howto Tutorials (EN) Archives

Install Lets Encrypt Certbot on CentOS Linux with Apache.

Let’s Encrypt is a certification authority that offers free X.509 certificates for Transport Layer Security (TLS). This tutorial explains how to perform Let’s Encrypt SSL install the ACME process with certbot and how to implement Lets Encrypt on a CentOS Linux host with Apache web server.

Assuming that the Apache web server is already installed, the domain is configured as Apache VirtualHost, and the domain is dissolvable in DNS, with an A-record in the forward zone of that domain, or a quad-A record for the server is entered for IPv6. Furthermore, the server must be accessible via port 80 for the ACME Challenge.

For installation we want to become root.

$ su -
Password:
Last login: Tue Jan 15 06:25:52 CET 2019 on pts/0

Install the EPEL repository followed by the certbot package.

$ yum -y install epel-release
$ yum -y install mod_ssl python-certbot-apache

Now restart the Apache web server.

$ systemctl restart httpd

Release the firewall for SSL with the service port 443.

$ firewall-cmd --add-service=https
$ firewall-cmd --runtime-to-permanent

Now let the certbot generate the SSL certificate.

$ certbot --apache -d mydomain.com -d www.mydomain.com

The first domain should be the base domain. In this example, it is called mydomain.com to replace it with the actual domain name.

The output of the certbot looks something like this.

certbot --apache -d mydomain.com -d www.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Created to SSL vhost at /etc/httpd/conf.d/mydomain-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/mydomain-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number[1-2] then [enter](press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/mydomain.conf to ssl vhost in /etc/httpd/conf.d/mydomain-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://mydomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2019-04-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
   Donating to EFF: https://eff.org/donate-le

Finally, the Installed Lets Encrypt certificate on Linux can be tested.

$ curl -k https://mydomain.com

Get the URL in the browser and verify it with SSL Labs.

https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com

The installed Lets Encrypt certificate is valid for 90 days on the Linux. For the automatic renewal of the certificate, we create a new cron job.

$ crontab -e
 
0 0 * * 0 /usr/bin/certbot renew >> /var/log/certbot.log

The certificate is checked once a week at midnight for renewal.

Lets Encrypt Shell Access

We recommend that most people with shell access use the Certbot ACME client. It can automate certificate issuance and installation with no downtime. It also has expert modes for people who don’t want autoconfiguration. It’s easy to use, works on many operating systems, and has great documentation. Visit the Certbot site to get customized instructions for your operating system and web server.

If Certbot does not meet your needs, or you’d like to try something else, there are many more ACME clients to choose from. Once you’ve chosen ACME client software, see the documentation for that client to proceed.

The error: -bash: netstat: command not found, occurs after trying to execute the “netstat” command in bash on Debian and Ubuntu Linux. Because this command is no longer included by default. In this tutorial you will learn how to install the net-tools package on a Debian-based Linux, which includes, among other things, the netstat command.

netstat: command not found, net-tools missing

netstat error message in bash

When running the netstat command, the following error message occurs:

-bash: netstat: command not found

This simply means that the corresponding net-tools package, which contains the netstat executable, is not installed and is therefore missing. The net-tools package may not be installed on the system by default, it must be installed manually.

Install the net-tools package

To make netstat available on the system, simply install the net-tools package with the following command:

$ sudo apt update
$ sudo apt install net-tools -y

The net-tools package also includes additional utilities such as arp, ifconfig, netstat, rarp, and route.

Detect package net-tools and netstat

Determine the net-tools package based on the package name.

$ apt list net-tools
Listing... Done
net-tools/oldstable,now 1.60+git20181103.0eebece-1 amd64 [installed]

net-tools is a collection of basic network programs. If the net-tools package is installed, the netstat commands are available on the host.

$ apt show net-tools

Examples with netstat

With net-tools installed on the system, we can now use some of the following netstat commands.

First, let’s look at the processes waiting for connections. To do this we enter the following netstat command.

$ sudo netstat -tulpen

Now let’s take a look at all the current network connections. To do this, we enter the following netstat command, which is similar to the previous one, except that we use -a to show all sockets and not -l to show only the listening sockets.

$ sudo netstat -atupen

If you only want to see the ESTABLISHED connections. This is done by forwarding the output of netstat to grep.

$ sudo netstat -atupen | grep ESTABLISHED

ss command replaces the deprecated netstat command

The net-tools restore the availability of the obsolete Linux network commands, the following table shows the obsolete Linux “netstat” commands, and the new replacement commands with “ss”:

Outdated commands	New commands
arp	ip n (ip neighbor)
ifconfig	ip a (ip addr), ip link
iptunnel	ip tunnel
iwconfig	Iw
nameif	ip link
netstat	ss -t (for netstat -t), ss -u (for netstat -u) ip route (for netstat -r) ip -s link (for netstat -i) ip maddr (for netstat -g)
route	ip r (ip route)

ss – is the new utility to check sockets, ss is used to dump socket statistics. It allows showing information similar to netstat.

Example of using ss instead of netstat (net-tools):

$ ss -atulpen4

Conclusion

In this tutorial, we have seen how to install the missing netstat command on a Debian-based Linux or Ubuntu using the net-tools package. We also learned some basic ways to use the netstat command to get started using it. Attention is also drawn to the ss command, which replaces netstat but has a different syntax.

UNBLOG Tutorials

Category Archives: Howto Tutorials (EN)

Install Lets Encrypt on Linux with Apache