Contents
1.Obtain an SSL Certificate (Let's Encrypt)
Preparation
Enable mod_ssl
|
1 |
# a2enmod ssl |
1.1Certificate Installation
|
1 2 |
# zypper -n install certbot # certbot certonly --webroot -w /srv/www/htdocs/ -d <FQDN> |
# Registration of e-mail address and agreement to terms of use are required for the first time only.
# Specify an email address to receive
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): E-mail address - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Requesting a certificate for [FQDN] Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/[FQDN]/fullchain.pem Key is saved at: /etc/letsencrypt/live/[FQDN]/privkey.pem This certificate expires on 2023-09-11. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
Success if displayed"Successfully received certificate"
# The following certificate is obtained under [/etc/letsencrypt/live/<FQDN>/] as described in the message
# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ File containing cert.pem and chain.pem combined
# privkey.pem ⇒ private key
2. Web server SSL conversion
2.1 SSL Configuration
|
1 2 3 |
# a2enmod ssl # a2enmod -l actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout cgid php7 version |
|
1 2 3 |
# vi /etc/apache2/listen.conf ● Line 17:Uncomment Listen 443 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# vi /etc/apache2/vhosts.d/default-ssl.conf <VirtualHost *:443> DocumentRoot "/srv/www/htdocs/" SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/letsencrypt/live/<FQDN>/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/<FQDN>/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/<FQDN>/chain.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> </VirtualHost> |
|
1 |
# systemctl restart apache2 |
2.2 Redirect HTTP to HTTPS
To redirect all HTTP communications to HTTPS, enter the following in each virtualhost setting.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /etc/apache2/vhosts.d/virtual_host_ssl.conf <VirtualHost *:80> ServerName <FQDN> ServerAdmin <Email address> DocumentRoot /srv/www/htdocs/ ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined LogLevel warn RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> |
|
1 2 3 |
# a2enmod rewrite # a2enmod -l actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout cgid php7 version rewrite |
|
1 |
# systemctl restart apache2 |
HTTPS service must be allowed if Firewalld is enabled; HTTPS uses 443/TCP.
|
1 2 3 4 |
# firewall-cmd --add-service=https --permanent success # firewall-cmd --reload success |