ACME Instructions

ACME Instructions

The following instructions apply to pre-validated institutions/organizations which are already members of HARICA’s Public Key Infrastructure.

In order to use HARICA’s Automatic Certificate Management Environment (ACME), first, you need to install Certbot ACME client on your web server. The following have been tested on Ubuntu 20.04 running Apache.

1.

SSH into the server running your HTTP website as a user with sudo privileges.

2.

You'll need to install snapd and make sure you follow any instructions to enable classic snap support.
Follow these instructions on snapcraft's site to install snapd.

3.

Execute the following instructions on the command line on the machine to ensure that you have the latest version of snapd.

$ sudo snap install core; sudo snap refresh core

4.

If you have any Certbot packages installed using an OS package manager like apt, dnf, or yum, you should remove them before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager. The exact command to do this depends on your OS, but common examples are sudo apt-get remove certbot, sudo dnf remove certbot, or sudo yum remove certbot.

5.

Run this command on the command line on the machine to install Certbot.

$ sudo snap install --classic certbot

6.

Execute the following instructions on the command line on the machine to ensure that the certbot command can be run.

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

7.

Choose how you'd like to run Certbot

  1. If your web server is not currently running, run this command to get a certificate. Certbot will temporarily spin up a webserver on your machine.

    $ sudo certbot certonly --standalone --server
    https://acme.harica.gr/yourAlias/directory

  2. If you have a web server that's already using port 80 and don't want to stop it while Certbot runs, run this command and follow the instructions in the terminal.

    $ sudo certbot certonly –webroot -w /var/www/html --server
    https://acme.harica.gr/yourAlias/directory

Important Note: To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to change the configuration to ensure that files inside /.well-known/acmechallenge are served by the webserver.

  1. To use RSA, you must include the --key-type rsa argument, as shown below:

    $ sudo certbot certonly --key-type rsa --standalone --server https://acme.harica.gr/yourAlias/directory

  2. To use the http-01 challenge, add --preferred-challenges=http-01, as shown below:

    $ sudo certbot certonly --standalone --preferred-challenges=http-01 --server https://acme.harica.gr/yourAlias/directory

  3. To use the dns-01 challenge, run the command with the --manual option instead of webroot or standalone, and use --preferred-challenges=dns-01:

    $ sudo certbot certonly --manual --preferred-challenges=dns-01 --server https://acme.harica.gr/yourAlias/directory

This will display the following prompt:

What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select 2 to renew the existing certificate. You will then see:

Renewing an existing certificate for example.com
Please deploy a DNS TXT record under the name:
_acme-challenge.example.com.
with the following value:
hXUWKEfBGVZ56fR6Ug6xSr5Zea-BWVOqgi1mcnZAKtg

Before proceeding, you need to deploy a DNS TXT record with the details provided. For example, for example.com, you will create the following DNS record:
_acme-challenge.example.com. 300 IN TXT "hXUWKEfBGVZ56fR6Ug6xSr5Zea-BWVOqgi1mcnZAKtg"

Where 300 represents the TTL. The exact value for the TXT record will be different each time, as provided by Certbot.
To verify the TXT record has been deployed, use online tools like the Google Admin Toolbox. Look for bolded lines under the ;ANSWER section, which should match the value you just added.
Once you've added the TXT record and verified it, press Enter to continue, and Certbot will issue the certificate.

8.

The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You won’t need to run Certbot again unless you change your configuration. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run --server https://acme.harica.gr/yourAlias/directory

The command to renew certbot is installed in one of the following locations:
/etc/crontab/
/etc/cron.*/*
systemctl list-timers

If you needed to stop your webserver to run Certbot, you'll want to add hook scripts to stop and start your webserver automatically. For example, if your webserver is HAProxy, run the following commands:

$ sudo sh -c 'printf "#!/bin/sh\nservice haproxy stop\n" > /etc/letsencrypt/renewalhooks/pre/haproxy.sh'
$ sudo sh -c 'printf "#!/bin/sh\nservice haproxy start\n" > /etc/letsencrypt/renewalhooks/post/haproxy.sh'
$ sudo chmod 755 /etc/letsencrypt/renewal-hooks/pre/haproxy.sh
$ sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/haproxy.sh

More information is available in the Certbot documentation on renewing certificates.

9.

To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar.