In this recipe, we will generate a Let's Encrypt certificate using Certbot. This certificate will then be deployed for use in the DeviceOn/ePaper server.
Let’s Encrypt is a free, automated, and open-source Certificate Authority.
Certbot is a console-based certificate generation tool for Let's Encrypt.
Please Note: For production environments, it is strongly recommended to obtain an SSL/TLS certificate from a trusted and reputable Certificate Authority (CA) based on your organization's security and compliance requirements. Each CA provides its procedures for certificate issuance, validation, and renewal, which should be followed accordingly.
In this guide, we use Let’s Encrypt, a free and automated open-source CA, as an example to illustrate the certificate generation and deployment process. While Let’s Encrypt is suitable for development or internal use, organizations requiring extended validation, wildcard domains, or long-term support should consider using a commercial CA.
Requirements:
Port 443 for https needs to be open and available at time of executing certbot.
Certbot needs root access while executing because only root is allowed to bind to any port below 1024.
An https certificate must be bound to a valid domain name. Please choose an appropriate top-level domain (TLD) and register it through a domain registrar of your choice.
Using an Azure VM? Follow these steps to register a domain name
Public IP address: Click it to open the Public IP resource.
In the Public IP address blade, you’ll see a field named DNS name or DNS name label.
If it’s empty, click Configuration in the left menu of the Public IP, and set a DNS name label (e.g., advantech).
Save changes.
You will now have a DNS name like:
advantech.southeastasia.cloudapp.azure.com
Step 1. Access the Certbot website and select options as below.
My HTTP website is running Otheron Linux (snap).
Step 2. SSH into the server and install snapd with sudo privileges
Either log out and back in again, or restart your system, to ensure snap’s paths are updated correctly.
Step 3. Remove certbot-auto and any Certbot OS packages (Optional)
If you have any Certbot packages installed using an OS package manager like apt, dnf, or yum, you should remove them before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager. The exact command to do this depends on your OS, but common examples are sudo apt-get remove certbot, sudo dnf remove certbot, or sudo yum remove certbot.
Step 4. Install Certbot
Step 5. Creates a symbolic link and allows users to run certbot directly
Step 6. Run the following command and follow the instructions to setup certbot
Enter the email address and accept the Terms of Service
Enter the domain name(s) you would like on your certificate. For example, advantech.southeastasia.cloudapp.azure.com
Input the webroot of DeviceOn/ePaper service. Here is /opt/advantech/epd/lib/portal.war
The certificate is created and saved at the following path.
Step 7. Copy the certificate files to the /opt/advantech/epd/etc/ssl directory and change the file permissions accordingly.
Step 8. Restart DeviceOn/ePaper service
Step 9. Confirm that Certbot worked
To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar.
Step 10. Set up a cron job to automatically renew the certificate (Optional)
Use with caution:This step will add a cron job that automatically restarts the DeviceOn/ePaper service every month by executing the specified script. For testing purposes or in the event of an urgent certificate renewal, it is recommended to manually run the renew_cert.sh script.
Create a file named renew_cert.sh and save it in a specific directory. Let's say, /user/local/EPD
# Set up crontab work
CRON_JOB="0 0 1 * * root /bin/bash /usr/local/EPD/renew_cert.sh"
# Use sudo to edit crontab
echo "$CRON_JOB" | sudo tee -a /etc/crontab > /dev/null
# Reload crontab to ensure this cron job work
sudo systemctl restart cron
