MiracleLinux ; Let’s Encrypt , Apache SSL

Obtain an SSL certificate(Let’s Encrypt)

Make sure you have the latest open ssl installed.

# dnf install openssl-devel

1. Install the certificate

# dnf -y install certbot
# certbot certonly –webroot -w /var/www/html/[Domain Name] -d [Domain Name]
# First time only, you need to register your email address and agree to the terms of use.
# Specify an email address that can be received.

Enter email address (used for urgent notices and lost key recovery)

<Administrator email address>

< OK > <Cancel>

# Agree to the terms of use
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.
You must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

<Agree > <Cancel>

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/[Domain Name]/fullchain.pem. Your cert will
expire on 2022-01-27. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
– If you like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

# If you see “Congratulations,” you’ve succeeded.
# The following certificates have been obtained under [/etc/letsencrypt/live/[domain name]/] as described in the message

# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ A file containing the concatenation of cert.pem and chain.pem
# privkey.pem ⇒ Private key to public key

2.Automatically renew certificates(Let’s Encrypt)

①Test before registration
Try to test the automatic update using the following –dry-run option.
With this option, the certificate is not renewed, but only checked, so there is no need to worry about being trapped by the limit on the number of times a certificate can be obtained.

# /usr/bin/certbot renew –dry-run

②Register crontab

# crontab -e
00 03 01 * * root /usr/bin/certbot renew && /usr/sbin/service apache2 restart

Apache to https

1.Recompile and install Apache

# cd /usr/local/src/httpd-2.4.39/
# ./configure \
–with-layout=Apache \
–enable-module=auth_db \
–enable-module=so \
–enable-module=most \
–enable-mods-shared=reallyall \
–enable-rewrite \
–enable-auth_digest \
–enable-ssl
# make
# make install
# cd /usr/local/src/
# mv /lib/systemd/system/httpd.service /lib/systemd/system/httpd.service_bak2
Create a new httpd.service
# vi  /lib/systemd/system/httpd.service
Contents of httpd.service
[Unit] Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service] Type = forking
ExecStart=/usr/local/apache2/bin/apachectl start
ExecStop=/usr/local/apache2/bin/apachectl stop

KillSignal=SIGCONT
PrivateTmp=true

[Install] WantedBy=multi-user.target

2. Edit the httpd.conf file

# vi /usr/local/apache2/conf/httpd.conf
●Per line 53
Add “Listen 0.0.0.0:443”
●Per line 233
Add “ServerName localhost:443”
●Per line 284
Change as follows
<VirtualHost *:80>
ServerAdmin <Administrator email address>
ServerName <Domain Name>
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent] ErrorLog /var/log/httpd/redirect.error.log
LogLevel warn
ErrorDocument 404 /
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
DocumentRoot /var/www/html/<Domain Name>
ServerName <Domain Name>
ServerAlias localhost
ErrorLog “| /usr/local/apache2/bin/rotatelogs /var/log/httpd/<Domain Name>_error_log_%Y%m%d 86400 540”
CustomLog “| /usr/local/apache2/bin/rotatelogs /var/log/httpd/<Domain Name>_access_log_%Y%m%d 86400 540” combined
<Directory “/var/www/html/<Domain Name>”>
Options Indexes Includes FollowSymLinks MultiViews ExecCGI
Require all granted
#Allow from all
AddHandler server-parsed .html
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
</Directory>
SSLCertificateFile /etc/letsencrypt/live/<Domain Name>/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<Domain Name>/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/<Domain Name>/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
●Per line 91
Remove the “#” at the beginning of the line.
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
●Per line 187
Remove the “#” at the beginning of the line.
LoadModule rewrite_module modules/mod_rewrite.so
●Per line 188
Add “LoadModule ssl_module modules/mod_ssl.so”
Restart Apache.
# systemctl daemon-reload
# systemctl restart httpd.service
タイトルとURLをコピーしました