Contents
1.What is Let's Encrypt!
When preparing an SSL/TLS server certificate for a server installed on a local network for website development, etc., a self-certificate has been issued and used until now.
If you don't mind a few glitches such as warnings, using a self-certificate would have been sufficient, but when using the browser notification function, it is required that the certificate be issued by an approved certification authority, so using a self-certificate alone will result in an error. You can avoid the error by installing a self-certified authority certificate in each browser, but it needs to be installed in all browsers to be verified, or it may not be possible to install it in the case of smartphones and tablets.
The only way to solve these problems used to be to use a paid SSL/TLS server certificate issuing service.
Recently, however, a free SSL/TLS server certificate issuing service by Let's Encrypt has become available. This time, we will use this service to obtain an SSL/TLS server certificate and install it on CentOS7.6.
2.Download Let's Encrypt
download
|
1 |
# curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto |
Changing access permissions
|
1 |
# chmod 700 /usr/bin/certbot-auto |
3.Confirmation beforehand
1)The Apache module "mod_ssl" is required. Check to see if it is installed
|
1 |
# https -M |
2)If you see "ssl_module (shared)" in the list, you are good to go, but if not, install it as follows
|
1 |
# yum -y install mod_ssl |
3) Check your firewall settings, as you need to allow the passage of port 443 for https.
|
1 2 3 |
# firewall-cmd --list-all ... services: ssh http https |
If "https" is written in "services," there is no problem.
If it is not yet set, do the following to allow port 443 to pass.
|
1 |
# firewall-cmd --add-port=443/tcp --zone=public --permanent |
4.Install certbot
|
1 2 3 4 5 |
# /usr/bin/certbot-auto certonly --webroot -w /var/www/html --email test@example.com --debug -d test.example.com Multiple packages (with dependencies) required to run the Certbot client will be installed automatically, and a virtualized Python environment (to run the packages downloaded from PyPI) will be built. There will be a query on the way, so enter "y(yes)". |
- The -d option is used to specify the domain, but multiple domains can be specified, such as -d example.com -d test.example.com. The first domain you specify becomes the common name.
- Every domain you specify must have an A record that points to this server.
- The -w option specifies the document root directory. If you want to specify a different document root directory for each domain, you can write the -w option just before the -d option.
5.Creating a certificate
After installing certbot, the interactive certificate creation process will begin.
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
Select "No" to not disclose your administrator email address to Let's Encrypt partners
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: No
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
6.Check the server certificate.
|
1 2 3 4 5 6 7 |
# ls -l /etc/letsencrypt/live/[FQDN]/ total 4 -rw-r--r-- 1 root root 543 Apr 17 17:23 README lrwxrwxrwx 1 root root 44 Apr 17 17:23 cert.pem -> ../../archive/[FQDN]/cert1.pem lrwxrwxrwx 1 root root 45 Apr 17 17:23 chain.pem -> ../../archive/[FQDN]/chain1.pem lrwxrwxrwx 1 root root 49 Apr 17 17:23 fullchain.pem -> ../../archive/[FQDN]/fullchain1.pem lrwxrwxrwx 1 root root 47 Apr 17 17:23 privkey.pem -> ../../archive/[FQDN]/privkey1.pem |
7.Reflecting in Apache
We will recompile Apache, see also the next page (ssl.conf will not be used)
Move to the Apache installation directory and recompile.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# ./configure \ --with-layout=Apache \ --enable-module=auth_db \ --enable-module=so \ --enable-module=most \ --enable-mods-shared=reallyall \ --enable-rewrite \ --enable-auth_digest \ --enable-ssl ← This has been added. # make # make install |
Listen 0.0.0.0:443
ServerName localhost:443
Change virtual host settings
<VirtualHost *:80>
ServerAdmin [Email address]
ServerName [FQDN]
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]
ErrorLog /var/log/httpd/redirect.error.log
LogLevel warn
ErrorDocument 404 /
</VirtualHost><VirtualHost *:443>
SSLEngine on
DocumentRoot /var/www/html/[FQDN]
ServerName [FQDN]
ServerAlias localhost
ErrorLog "| /usr/local/apache2/bin/rotatelogs /var/log/httpd/[FQDN]_error_log_%Y%m%d 86400 540"
CustomLog "| /usr/local/apache2/bin/rotatelogs /var/log/httpd/ [FQDN]_access_log_%Y%m%d 86400 540" combined
<Directory "/var/www/html/[FQDN]">
Options Indexes Includes FollowSymLinks MultiViews ExecCGI
Require all granted
#Allow from all
AddHandler server-parsed .html
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</Directory>
SSLCertificateFile /etc/letsencrypt/live/[FQDN]/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[FQDN]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[FQDN]/chain.pem
Include /opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot_apache/options-ssl-apache.conf
</VirtualHost>
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so ← Add
LoadModule rewrite_module modules/mod_rewrite.so ← Add
LoadModule ssl_module modules/mod_ssl.so ← Add
Restart Apache.