The operating system my web server runs on is (include version): Linux Slackware 15.0 Kernel version 5.10.166 x86_64
My hosting provider, if applicable, is: NONE
I can login to a root shell on my machine (yes or no, or I don't know): YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Hello,
I have been trying to read documents for 5 days and trying to figure out what to do but no luck!!
I have Linux Slackware 64-bit version 15.0 running kernel 5.10.166.
Apache installed is the latest version 2.4.56.
None of the configuration scenarios apply to me and it really confuses me what exactly I need to do to get the SSL certificate and to automate the process.
From what I understand I need to install certbot software...I managed to download the entire certbot-2.4.0.tar.gz from the github, unpacked it but there are so many directories and sub-directories. Which one contains the actual "certbot" Linux executable?
Looks like the program is written in Python language?
If someone can help me get a certificate (manually) and the next step would be to worry about automation with Apache.
I have full access to the web server, shell account, DNS for my domain and anything related to my domain. Also to mention I am running ISC BIND version 9.18.12.
Thank you for a quick reply! Slackware Linux is all text based (no X-windows installed) and I am very familiar with it, but I have never heard about snapd or pip.
I have the certbot version 2.4 folder downloaded from the github. I am not sure which file to execute? I am concentrating to get through the first step and I think that is obtaining a certificate manually:
Then Certbot doesn't sound like good fit. Some distros have older Certbot versions in their package manager so you could check that.
I don't know slackware at all so not sure. And, searching both here and the Certbot github didn't have many mentions of it. Given your situation, I'd suggest looking at a bash-based client from my earlier link rather than Certbot which is python and a lot of dependencies.
explaining how to run a development version. However, this isn't recommended.
The pip method that @Bruce5051 mentioned is the recommended way to install Certbot on a Unix-like OS that doesn't have either snap or an official package from the OS developer. If you're not comfortable with pip, then I further agree with @MikeMcQ that you would probably be happier with a different client application.
I am currently looking into getssl shell script and uacme the C version. I didnt realize that all of these programs are made to request certificates (Mike posted this site - Thank you!!) :
I have been reading about certbot and kept myself in that loop!
Hopefully I can set everything up tonight so I can at least get one certificate..then I will look into getting wildcard cert for my domain. Considering I am running ISC BIND, I think it should be easier to implement it?
You will need to have your DNS pointing to public IP's for automating or even manually getting a cert with the HTTP Challenge (Apache). Right now you have two private IP's (see link here)
Even without any public IP's in your DNS you can still get certs (such as for use in a private network). But, you must use the DNS Challenge. A DNS Challenge can get a wildcard or non-wildcard cert.
There is a good method for using your own bind DNS but others are better equipped to explain that should you need help.
Yes I need those two private IPs because of my internal domain controllers. Microsoft does not like when the actual domain does not point to the IPs of the DC. Even though there are so many SRV records present for kerberos and ldap, it is still needed. What I need to do is create another VM that will be a public only DNS.
But finally after days of frustration I managed to install two certificates from letsencrypt using getssl bash shell script. The script is very simple and very easy to use.
What kept me in the loop was reading instructions on certbot and my understanding was that certbot was the ONLY way to get a certificate issued by letsencrypt. After you pointed that page I realized there are so many different scripts/programs that can accomplish the same task!
I appreciate all the inputs from everyone who contributed to my post and to help me resolve this issue!!!
Whoops! Is there any recent web page that you've seen that specifically gives this misleading impression?
I know we often talk about Certbot as the normal and "recommended" way to do it, and I can see how that might also give people the impression that there aren't other options.
If you have an authoritative DNS server that has an API that lets you create and modify DNS entries from software (or you can make a CNAME record that points a specific DNS entry to an entry hosted on a server that can do this), then you can get Let's Encrypt certificates without ever needing any public IP address for your server(s) at all.
This is probably true for a minority of users (without making changes to their DNS hosting setup), but if it applies to you, it might be relevant.
I think the biggest problem was the the "certbot" was advertised on several pages that I thought that is the only and the best way and other clients such as pip or dockers (those were mentioned) were for those "hard to get implementation". Slackware Linux (I know many people dont know about it) is the oldest Linux distribution around and I have been using it since 1996 - Pretty much the beginning of time! It is the most pure unix based distribution. Of course there were no instructions on how to install the certbot on it. I am used to tar Jxvf file.tar.xz, ./configure --options....make...make install... basically compiling programs mostly in C and C++ but even though instructions for certbot were trying to help, I found them complicated and complex.
As I mentioned I used "getssl" and I found it very simple and easy to configure. Somehow I missed the part about other options until Mike pointed it out that there are other available clients and sure enough on that page there were so many different ones written in different programing languages. Considering I am familiar with bash and c, c++, I picked the bash one as the simplest solution. We will see in 56 days if my certificates will renew without my interaction
Then when I went to the github and downloaded the entire certbot, there were so many files and I wasnt sure which one to use for my environment. I could not find any instructions. My current environment has only python 2.7 but I think certbot required 3.x if I saw that correctly?
I am in the process of making another VM that will be my public DNS only - Probably time to separate those local lookups from the ones available to the public. ISC Bind DNS handles dynamic updates so I think it should be OK when I am ready to request a wildcard certificate. I think it just makes it easier.
Yes, and I think ISC BIND supports it. I just have never used it or configured it. But that is another option to consider! Thank you for mentioning it!
To be clear, pip and Docker are not alternative ACME clients, but in this context are alternative ways to install Certbot.
Yes, Slackware was the first distribution I used, first installing it around 1993. Somewhere I should still have a t-shirt autographed by Patrick Volkerding.
Yes. You could say that, in contrast to Slackware, Certbot has been following certain fashions in the Unix (and Python) world which make life much easier for developers, sometimes at the expense of backwards compatibility.
Maybe it would be helpful if the README file in the source distribution specifically said right at the top that there is not a supported way to install Certbot directly using the source distribution, and referred people back to https://certbot.eff.org/? Do you remember if you looked at the README file there?
I was confused about docker and pip..maybe I have not heard about it because I dont deal with Ubuntu or other "most wanted" distributions of linux.
Oh you are so lucky you got his autograph! Hehe
I have to admit that I have zero experience with Python..nor I have worked on any code that involves Python. Most of the programs I dealt with were written in C / C++ / Bash / TCL.
I think I read the first README file that was available and that was unclear too.
I have to say, I am impressed by the getssl script...I managed to get wildcard certificate by injecting acme records in the DNS, but because I decided to use the Split-DNS (as someone above mentioned), I had to modify the script a bit to accept my scenario. Different views respond differently depending what the source and destination IP is used to contact the DNS server.
Does the certbot have ability to obtain a wildcard certificate as well? I have to use nsupdate dynamic protocol since I have BIND DNS server.
