Let’s Encrypt

This page provide basic instructions for using Let's Encrypt SSL certificates on your web server. Let's Encrypt SSL is a free CA. The tool is Certbot. Certbot has some cool plugins to read and modify your existing web host configurations, so the installation process is quite simple.

Certbot packages are available in official repos for OpenSUSE 42.3 and later.

For Leap 15.0 choose this:

sudo zypper addrepo http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_Leap_15.0/devel:languages:python.repo

If you are using Apache as web server:

sudo zypper install certbot python-certbot python-certbot-apache

For Leap 42.2 need to upgrade python-cryptography to >= 1.3.4 if needed.

sudo zypper install python-cryptography-1.8.1

By default, certbot use a test CA, which will only issue invalid SSL certificates. To use production CA of Let's Encrypt, you need to edit /etc/certbot/cli.ini

Change:

# The staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory
# The productive server.
# server = https://acme-v01.api.letsencrypt.org/directory

to:

# The staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# The productive server.
server = https://acme-v01.api.letsencrypt.org/directory

If you are using Apache: sudo certbot –apache

Then the Certbot reads all your existing Apache/Nginx virtual host config files and determin which domains could enable SSL certificates. After that, you will see an interactive dialog appear:

(Sorry for Chinese characters in screenshot. The left button is „OK“, and the right is „Cancel“)

In above dialog, use Up and Down to navigate, Space key to select/unselect domains that you want to apply HTTPS connection. Then press Enter key. Next screen:

You can those whether to redirect HTTP to HTTPS or not. Redirect is recommand for security. If security is what you want, choose Secure. However, if you have some clients requiring HTTP, choose Easy. Then press Enter. Next screen:

You do NOT need to restart Apache

Open your web browser, visit your website start with https: and see if you get a green lock symbol before the URL, and here is no warnings.
You can also test your website on SSL Labs. ===== Automate renew ===== Let's Encrypt certificates are only valid for 90 days. To reduce your work, we recommend using Crontab to run renew job every month. Edit /etc/cron.d/certbot.cron, and uncomment the renew line: <code> # renew all certificates methode: renew 10 5 1 * * root /usr/bin/certbot renew </code>