.

März 2022 - (Corona- und Kriegszeiten) - Offensichtlich gibt es mehrere Wege, die Let's Encrypt Zertifikate auf einem Webserver mit mehreren unterschiedlichen Domains (vhosts) halbautomatisch in den Apache2 vhost-configs einzurichten / einzubauen und dann auch das monatliche Update / Refresh mit diesem certbot-Script vorzubereiten.
Die Let's Encrypt Zertifikate werden immer nur mit einer Gültigkeitsdauer von 3 Monaten ausgestellt bzw. erzeugt. Und unsere sogenannten "cron Jobs" - das sind zeitgesteuerte automatische Erneuerungs-Funktionen - funktionieren aber nur wöchentlich oder monatlich oder jährlich. Selbst bei vierteljährlicher Steuerung könnten Zertifikats-Ablauflücken von mehreren Wochen vorkommen.
.

The objective of Certbot, Let's Encrypt, and the ACME (Automated Certificate Management Environment) protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

This agent is used to:
.

1. Automatically prove to the Let's Encrypt CA that you control the website
2. Obtain a browser-trusted certificate and set it up on your web server
3. Keep track of when your certificate is going to expire, and renew it
4. Help you revoke the certificate if that ever becomes necessary.

.

Die Let's Encrypt "Macher" haben auch ein weiteres Modul unter eigenem Namen herausgebracht. Das nennt sich "snap" oder "snapd". Snap braucht bzw. verlangt unter opensuse "apparmor". Also testen wir

• zypper in -t pattern apparmor

Ist apparmor schon da, würde es angezeigt und nichts wird unternommen. Fehlt es noch, wird es installiert und alles ist ok.
.

Dieser Text ist vom 16 March 2022 (Last updated) - Was sind "snaps" ? Snaps are applications packaged with all their dependencies to run on all popular Linux distributions from a single build. They update automatically and roll back gracefully. Snaps are discoverable and installable from the Snap Store, an app store with an audience of millions. (also eine Konkurrenz zu den App-Stores von Microsoft und Aple und Google mit all ihren Restriktionen.)
.

You need first add the snappy repository from the terminal. Leap 15.3 users, for example, can do this with the following command :
.

• zypper addrepo --refresh https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.3 snappy (siehe nochmal weiter unten - alles muß in eine Zeile !!!!)

.
und das sehen Sie auf dem Terminal :
============================================================
[ftp.net- root] / $ zypper addrepo --refresh https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.3 snappy-15.3 (wirklich wichtig - auch das alles muß in eine Zeile !!!!)

Adding repository 'snappy' ............................................[done]
Repository 'snappy' successfully added

URI         : https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.3
Enabled     : Yes
GPG Check   : Yes
Autorefresh : Yes
Priority    : 99 (default priority)

Repository priorities are without effect. All enabled repositories share the same priority.
[ftp.net- root]

Das hat auf Anhieb funktioniert - und auf dem 2. Server auch !!

[ns2.femuwi.de-root] /etc/zypp/repos.d $ dir
-rw-r--r-- 1 root root 254 Nov  8 17:18 repo-backports-debug-update.repo.rpmnew
-rw-r--r-- 1 root root 192 Feb 22 04:01 repo-backports-update.repo
-rw-r--r-- 1 root root 199 Nov  8 17:18 repo-backports-update.repo.rpmnew
-rw-r--r-- 1 root root 171 Feb 22 04:01 repo-non-oss.repo
-rw-r--r-- 1 root root 160 Feb 22 04:01 repo-oss.repo
-rw-r--r-- 1 root root 234 Nov  8 17:18 repo-sle-debug-update.repo.rpmnew
-rw-r--r-- 1 root root 201 Feb 22 04:01 repo-sle-update.repo
-rw-r--r-- 1 root root 208 Nov  8 17:18 repo-sle-update.repo.rpmnew
-rw-r--r-- 1 root root 176 Feb 22 04:01 repo-update-non-oss.repo
-rw-r--r-- 1 root root 159 Feb 22 04:01 repo-update.repo
-rw-r--r-- 1 root root 123 Mar 25 03:12 snappy-15.3.repo
============================================================
.

With the repository added, import its GPG key:
.

•   zypper --gpg-auto-import-keys refresh

.
============================================================
[ftp.net- root] / $ zypper --gpg-auto-import-keys refresh

Repository 'openSUSE-15.3 Non-OSS' is up to date.
Repository 'openSUSE-15.3 OSS' is up to date.
Repository 'openSUSE-15.3 Updates Non-OSS' is up to date.
Repository 'openSUSE-15.3 Updates OSS' is up to date.
Repository 'Update repository of openSUSE Backports' is up to date.
Retrieving repository 'Update repository with updates from SUSE Linux Enterprise 15' metadata .............[done]
Building repository 'Update repository with updates from SUSE Linux Enterprise 15' cache ............[done]

Automatically importing the following key:
  Repository:       snappy
  Key Fingerprint:  4F2F A05B 2C65 89C3 FD12 055E F7C6 E425 ED34 0235
  Key Name:         system:snappy OBS Project <system:snappy@build.opensuse.org>
  Key Algorithm:    RSA 2048
  Key Created:      Sat Oct 31 17:59:39 2020
  Key Expires:      Mon Jan  9 17:59:39 2023
  Rpm Name:         gpg-pubkey-ed340235-5f9d97fb

Note: A GPG pubkey is clearly identified by it's fingerprint. Do not rely the keys name. If you are not sure whether the presented key is authentic, ask the repository provider or check his web site. Many provider maintain a web page showing the fingerprints of the GPG keys they are using.

Retrieving repository 'snappy' metadata .............................[done]
Building repository 'snappy' cache ............................[done]
All repositories have been refreshed.
[ftp.net- root] / $
============================================================
.

Finally, upgrade the package cache to include the new snappy repository:
.

•   zypper dup --from snappy-15.3

.
============================================================
[ftp.net- root] / $ zypper dup --from snappy-15.3
Loading repository data...
Reading installed packages...
Computing distribution upgrade...
Nothing to do.
[ftp.net- root] / $
============================================================
.
Snap can now be installed with the following:
.

•   zypper install snapd

.
============================================================
[ftp.net- root] / $ zypper install snapd
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following 9 NEW packages are going to be installed:
  gnome-desktop-lang libgnome-desktop-3-18 libgnome-desktop-3_0-common snapd squashfs xdg-desktop-portal xdg-desktop-portal-gtk xdg-desktop-portal-gtk-lang xdg-desktop-portal-lang

9 new packages to install.
Overall download size: 18.0 MiB. Already cached: 0 B. After the operation, additional 75.5 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): y

Retrieving package libgnome-desktop-3-18-3.34.7-3.3.2.x86_64            (1/9), 135.7 KiB (382.9 KiB unpacked)
Retrieving: libgnome-desktop-3-18-3.34.7-3.3.2.x86_64.rpm ..............................[done]
Retrieving package squashfs-4.4-1.1.x86_64                               (2/9), 148.8 KiB (418.2 KiB unpacked)
Retrieving: squashfs-4.4-1.1.x86_64.rpm ..............................................[done (974 B/s)]
Retrieving package xdg-desktop-portal-1.8.0-5.3.2.x86_64                 (3/9), 320.9 KiB (  1.9 MiB unpacked)
Retrieving: xdg-desktop-portal-1.8.0-5.3.2.x86_64.rpm ..................................................[done]
Retrieving package libgnome-desktop-3_0-common-3.34.7-3.3.2.x86_64      (4/9),  44.7 KiB ( 88.6 KiB unpacked)
Retrieving: libgnome-desktop-3_0-common-3.34.7-3.3.2.x86_64.rpm ..............................................[done]
Retrieving package xdg-desktop-portal-lang-1.8.0-5.3.2.noarch       (5/9),  32.8 KiB ( 70.7 KiB unpacked)
Retrieving: xdg-desktop-portal-lang-1.8.0-5.3.2.noarch.rpm ...................................[done]
Retrieving package gnome-desktop-lang-3.34.7-3.3.2.noarch      (6/9), 362.9 KiB (  1.9 MiB unpacked)
Retrieving: gnome-desktop-lang-3.34.7-3.3.2.noarch.rpm ...........................................[done]
Retrieving package snapd-2.54.4-lp152.1.1.x86_64             (7/9),  16.8 MiB ( 70.0 MiB unpacked)
Retrieving: snapd-2.54.4-lp152.1.1.x86_64.rpm ..............................................[done (4.5 MiB/s)]
Retrieving package xdg-desktop-portal-gtk-1.8.0-3.9.1.x86_64   (8/9), 166.4 KiB (750.8 KiB unpacked)
Retrieving: xdg-desktop-portal-gtk-1.8.0-3.9.1.x86_64.rpm .........................................[done]
Retrieving package xdg-desktop-portal-gtk-lang-1.8.0-3.9.1.noarch      (9/9),  35.9 KiB ( 92.4 KiB unpacked)
Retrieving: xdg-desktop-portal-gtk-lang-1.8.0-3.9.1.noarch.rpm ...............................[done]

Checking for file conflicts: ......................................................................................................[done]
(1/9) Installing: libgnome-desktop-3-18-3.34.7-3.3.2.x86_64 ..............................................[done]
(2/9) Installing: squashfs-4.4-1.1.x86_64 .........................................................................[done]
(3/9) Installing: xdg-desktop-portal-1.8.0-5.3.2.x86_64 ............................................[done]
(4/9) Installing: libgnome-desktop-3_0-common-3.34.7-3.3.2.x86_64 ..............................[done]
(5/9) Installing: xdg-desktop-portal-lang-1.8.0-5.3.2.noarch .......................................[done]
(6/9) Installing: gnome-desktop-lang-3.34.7-3.3.2.noarch .............................................[done]
Please reboot, logout/login or source /etc/profile to have /snap/bin added to PATH.
On a Tumbleweed and Leap 15.3+ systems you need to run: systemctl enable snapd.apparmor.service

(das hatte ich vergessen !!! - es ist im Text untergegangen !!!!!!!!!!!!!!!!!!!!!!!!!!!!)

(7/9) Installing: snapd-2.54.4-lp152.1.1.x86_64 ......................................................[done]
(8/9) Installing: xdg-desktop-portal-gtk-1.8.0-3.9.1.x86_64 .......................................[done]
(9/9) Installing: xdg-desktop-portal-gtk-lang-1.8.0-3.9.1.noarch ..............................[done]

[ftp.net- root] / $
============================================================
das hier habe ich bei der Kontrolle auf dem 2. Server dann doch laufen lassen:
.

• [ns2.femuwi.de-root]  $ systemctl enable snapd.apparmor.service

.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.apparmor.service â /usr/lib/systemd/system/snapd.apparmor.service.
.

You then need to either reboot (ich habe ein "reboot" gefahren - sicher ist sicher) , logout/login or source /etc/profile to have /snap/bin added to PATH. Additionally, enable and start both the snapd and the snapd.apparmor services with the following commands:
.

• systemctl enable snapd
• systemctl start snapd

.
===========================================================
[ftp.net- root] ~ $ systemctl enable snapd
[ftp.net- root] ~ $ systemctl start snapd
[ftp.net- root] ~ $ systemctl status snapd

alternativ soll das hier gehen :
[ftp.net- root] ~ $ systemctl enable --now snapd

â snapd.service - Snap Daemon
     Loaded: loaded (/usr/lib/systemd/system/snapd.service; enabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-03-22 20:24:47 CET; 1s ago
TriggeredBy: â snapd.socket
   Main PID: 3786 (snapd)
      Tasks: 10 (limit: 1150)
     CGroup: /system.slice/snapd.service
             ââ3786 /usr/lib/snapd/snapd

Mar 22 20:24:47 ftp systemd[1]: Starting Snap Daemon...
Mar 22 20:24:47 ftp snapd[3786]: AppArmor status: apparmor is enabled but some kernel features are missing: dbus
Mar 22 20:24:47 ftp snapd[3786]: patch.go:63: Patching system state level 6 to sublevel 1...
Mar 22 20:24:47 ftp snapd[3786]: patch.go:63: Patching system state level 6 to sublevel 2...
Mar 22 20:24:47 ftp snapd[3786]: patch.go:63: Patching system state level 6 to sublevel 3...
Mar 22 20:24:47 ftp snapd[3786]: daemon.go:246: started snapd/2.54.4-lp152.1.1 (series 16; classic; devmode) opensuse-leap/15.3 (amd64) linux/4.12.14-lp151.28.91-defau.
Mar 22 20:24:47 ftp snapd[3786]: daemon.go:339: adjusting startup timeout by 30s (pessimistic estimate of 30s plus 5s per snap)
Mar 22 20:24:47 ftp systemd[1]: Started Snap Daemon.
[ftp.net- root] ~ $
===========================================================

To install certbot, simply use the following command:
.

• snap install certbot --classic

.
[ftp.net- root] ~ $ snap install certbot --classic
2022-03-22T20:27:14+01:00 INFO Waiting for automatic snapd restart...
.
und jetzt wurde mit allen 4 CPUs über Minuten heftigst gerackert bzw. "gepowert" !!!!
.
und endlich fertig :
certbot 1.25.0 from Certbot Project (certbot-eff*) installed
[ftp.net- root] ~ $
.
Hier de Aufruf auf unserem 2. Test-Server :
[ns2.femuwi-root] ~ $ snap install certbot --classic
2022-03-25T03:31:05+01:00 INFO Waiting for automatic snapd restart...
certbot 1.25.0 from Certbot Project (certbot-eff*) installed
[ns2.femuwi-root] ~ $

Bei der Kontrolle auf dem 2. Server ging es erheblich schneller ???
.
Muß das hier auch sein ???
.

• ln -s /snap/bin/certbot /usr/bin/certbot

.

.

1. rpm -qa apparmor\* | sort
   
   [ns2.femuwi-root] ~ $ rpm -qa apparmor\* | sort
   apparmor-abstractions-2.13.6-150300.3.11.2.noarch
   apparmor-docs-2.13.6-150300.3.11.2.noarch
   apparmor-parser-2.13.6-150300.3.11.2.x86_64
   apparmor-parser-lang-2.13.6-150300.3.11.2.noarch
   apparmor-profiles-2.13.6-150300.3.11.2.noarch
   apparmor-utils-2.13.6-150300.3.11.2.noarch
   apparmor-utils-lang-2.13.6-150300.3.11.2.noarch
   [ns2.femuwi-root] ~ $
   
   
2. journalctl --no-pager -u snapd
   wenn der Hostname nicht stimmt, merkt das das Programm !!!
   
   
3. snap version

-
Bis hierhin war es gut beschrieben und es hatte funktioniert..

Wie geht es weiter ??????
.

Es geht hier auf der opensuse-seite etwas "holprig" weiter - hier kann man viel überspringen, die ganzen 42.3 und Thumbleweed Absätze usw. brauchen wir nicht ......:
.
https://en.opensuse.org/Let%E2%80%99s_Encrypt
.
Ziemlich weit unten (in dem opensuse wiki) kommt dann der wichtige Absatz :

.

• $ update-ca-certificates -v

.
hier die Ausgabe auf dem 2. Server !!!

[ns2.femuwi-root] ~ $ update-ca-certificates -v
running /usr/lib/ca-certificates/update.d/50java.run ..
creating /var/lib/ca-certificates/java-cacerts ...
running /usr/lib/ca-certificates/update.d/70openssl.run ..
creating /var/lib/ca-certificates/openssl ...
running /usr/lib/ca-certificates/update.d/80etc_ssl.run ..
running /usr/lib/ca-certificates/update.d/99certbundle.run ..
creating /var/lib/ca-certificates/ca-bundle.pem ...
[ns2.femuwi-root] ~ $
.

•   $ certbot --apache

.

• Wichtig : beim 2. Server wurde z.B. etwas bemängelt :
  Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
  Das muß also zuerst geprüft und ergänzt werden. Dann also nochmal

.
und es geht los ..............................................................................
.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xxx@yyyy.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: archiv.femuwi.de
2: archiv1.femuwi.de
3: archiv2.femuwi.de
4: archiv3.femuwi.de
5: archiv4.femuwi.de
6: ftp.femuwi.de
7: ftp.ipw.net
8: repo.ipw.net
9: repos.ipw.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for archiv.femuwi.de and 8 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/archiv.femuwi.de/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/archiv.femuwi.de/privkey.pem
This certificate expires on 2022-06-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for archiv.femuwi.de to /etc/apache2/vhosts.d/30-archiv.femuwi.de-le-ssl.conf
Successfully deployed certificate for archiv1.femuwi.de to /etc/apache2/vhosts.d/40-archiv1.femuwi.de.conf
Successfully deployed certificate for archiv2.femuwi.de to /etc/apache2/vhosts.d/50-archiv2.femuwi.de-le-ssl.conf
Successfully deployed certificate for archiv3.femuwi.de to /etc/apache2/vhosts.d/60-archiv3.femuwi.de-le-ssl.conf
Successfully deployed certificate for archiv4.femuwi.de to /etc/apache2/vhosts.d/61-archiv4.femuwi.de-le-ssl.conf
Successfully deployed certificate for ftp.femuwi.de to /etc/apache2/vhosts.d/10-ftp.femuwi.de-le-ssl.conf
Successfully deployed certificate for ftp.ipw.net to /etc/apache2/vhosts.d/22-repos.ipw.net.80-le-ssl.conf
Successfully deployed certificate for repo.ipw.net to /etc/apache2/vhosts.d/22-repos.ipw.net.80-le-ssl.conf
Successfully deployed certificate for repos.ipw.net to /etc/apache2/vhosts.d/22-repos.ipw.net.80-le-ssl.conf

Congratulations!

You have successfully enabled HTTPS
on https://archiv.femuwi.de, https://archiv1.femuwi.de, https://archiv2.femuwi.de, https://archiv3.femuwi.de, https://archiv4.femuwi.de, https://ftp.femuwi.de, https://ftp.ipw.net, https://repo.ipw.net, and https://repos.ipw.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[ftp.net- root] /etc $

.

• $ update-ca-certificates -v

.
running /usr/lib/ca-certificates/update.d/50java.run ..
creating /var/lib/ca-certificates/java-cacerts ...
running /usr/lib/ca-certificates/update.d/70openssl.run ..
creating /var/lib/ca-certificates/openssl ...
running /usr/lib/ca-certificates/update.d/80etc_ssl.run ..
running /usr/lib/ca-certificates/update.d/99certbundle.run ..
creating /var/lib/ca-certificates/ca-bundle.pem ...
[ns2.femuwi-root] /etc/apache2 $
.

• $ certbot --apache

.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ns2.femuwi.de
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

Requesting a certificate for ns2.femuwi.de

• Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/ns2.femuwi.de/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/ns2.femuwi.de/privkey.pem

• This certificate expires on 2022-06-23.

These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for ns2.femuwi.de to /etc/apache2/vhosts.d/10.ns2.femuwi.de.080-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://ns2.femuwi.de
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

[ns2.femuwi-root] /etc/apache2 $
.

.

Let's Encrypt certificates are only valid for 90 days. - To reduce your work, we recommend using Crontab to run renew job every month.
.

.
Edit <code>"/etc/cron.d/certbot.cron</code>", and uncomment the renew line:
.
# renew all certificates methode: renew

10 5 1 * * root /usr/bin/certbot renew
.