Click here for "Error Codes for Commercial Air Conditioners".

Install Let’s Encrypt on CentOS7.6 for SSL

1.What is Let’s Encrypt!

When preparing an SSL/TLS server certificate for a server installed on a local network for website development, etc., a self-certificate has been issued and used until now.
If you don’t mind a few glitches such as warnings, using a self-certificate would have been sufficient, but when using the browser notification function, it is required that the certificate be issued by an approved certification authority, so using a self-certificate alone will result in an error. You can avoid the error by installing a self-certified authority certificate in each browser, but it needs to be installed in all browsers to be verified, or it may not be possible to install it in the case of smartphones and tablets.
The only way to solve these problems used to be to use a paid SSL/TLS server certificate issuing service.
Recently, however, a free SSL/TLS server certificate issuing service by Let’s Encrypt has become available. This time, we will use this service to obtain an SSL/TLS server certificate and install it on CentOS7.6.

2.Download Let’s Encrypt

# curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto ← download
# chmod700 /usr/bin/certbot-auto ← Changing access permissions

3.Confirmation beforehand

1)The Apache module “mod_ssl” is required. Check to see if it is installed

# https -M

2)If you see “ssl_module (shared)” in the list, you are good to go, but if not, install it as follows

# yum -y install mod_ssl

3) Check your firewall settings, as you need to allow the passage of port 443 for https.

# irewall-cmd –list-all

services: ssh http https

If “https” is written in “services,” there is no problem.
If it is not yet set, do the following to allow port 443 to pass.

# firewall-cmd –add-port=443/tcp –zone=public
# firewall-cmd –add-port=443/tcp –zone=public –permanent

4.Install certbot

# /usr/bin/certbot-auto certonly –webroot -w /var/www/html –email test@example.com –debug -d test.example.com
Multiple packages (with dependencies) required to run the Certbot client will be installed
automatically, and a virtualized Python environment (to run the packages downloaded from PyPI) will
be built.
There will be a query on the way, so enter “y(yes)”.
  • The -d option is used to specify the domain, but multiple domains can be specified, such as -d example.com -d test.example.com. The first domain you specify becomes the common name.
  • Every domain you specify must have an A record that points to this server.
  • The -w option specifies the document root directory. If you want to specify a different document root directory for each domain, you can write the -w option just before the -d option.

5.Creating a certificate

After installing certbot, the interactive certificate creation process will begin.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(A)gree/(C)ancel: A

Select “No” to not disclose your administrator email address to Let’s Encrypt partners
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot? We’d like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(Y)es/(N)o: No

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

6.Check the server certificate.

ls -l /etc/letsencrypt/live/[Domain Name]/
total 4
-rw-r–r– 1 root root 543 Apr 17 17:23 README
lrwxrwxrwx 1 root root 44 Apr 17 17:23 cert.pem -> ../../archive/[Domain Name]/cert1.pem
lrwxrwxrwx 1 root root 45 Apr 17 17:23 chain.pem -> ../../archive/[Domain Name]/chain1.pem
lrwxrwxrwx 1 root root 49 Apr 17 17:23 fullchain.pem -> ../../archive/[Domain Name]/fullchain1.pem
lrwxrwxrwx 1 root root 47 Apr 17 17:23 privkey.pem -> ../../archive/[Domain Name]/privkey1.pem

7.Reflecting in Apache

We will recompile Apache, see also the next page (ssl.conf will not be used)

Move to the Apache installation directory and recompile.
# ./configure \
–with-layout=Apache \
–enable-module=auth_db \
–enable-module=so \
–enable-module=most \
–enable-mods-shared=reallyall \
–enable-rewrite \
–enable-auth_digest \
–enable-ssl  ← This has been added.

# make
# make  install

httpd.conf Editing a file

Listen 0.0.0.0:443
ServerName localhost:443 Change virtual host settings
<VirtualHost *:80>
ServerAdmin [Email address]
ServerName [Domain Name]
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]
ErrorLog /var/log/httpd/redirect.error.log
LogLevel warn
ErrorDocument 404 /
</VirtualHost><VirtualHost *:443>
SSLEngine on
DocumentRoot /var/www/html/[Domain Name]
ServerName [Domain Name]
ServerAlias localhost
ErrorLog “| /usr/local/apache2/bin/rotatelogs /var/log/httpd/[Domain Name]_error_log_%Y%m%d 86400 540″
CustomLog “| /usr/local/apache2/bin/rotatelogs /var/log/httpd/ [Domain Name]_access_log_%Y%m%d 86400 540″ combined
<Directory “/var/www/html/[Domain Name]“>
Options Indexes Includes FollowSymLinks MultiViews ExecCGI
Require all granted
#Allow from all
AddHandler server-parsed .html
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
</Directory>
SSLCertificateFile /etc/letsencrypt/live/[Domain Name]/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[Domain Name]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[Domain Name]/chain.pem
Include /opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot_apache/options-ssl-apache.conf
</VirtualHost>LoadModule socache_shmcb_module modules/mod_socache_shmcb.so ← Add
LoadModule rewrite_module modules/mod_rewrite.so ← Add
LoadModule ssl_module modules/mod_ssl.so ← Add

Restart Apache.

タイトルとURLをコピーしました