Contents
1.Obtaining an SSL Certificate (Let's Encrypt)
Pre-assignment
Enable mod_ssl
|
1 |
# a2enmod ssl |
1.1 Install the certificate
|
1 2 |
# zypper -n install certbot # certbot certonly --webroot -w /srv/www/htdocs/[Web site directory] -d <FQDN> |
# Registration of e-mail address and agreement to terms of use are required for the first time only.
# Specify an email address to receive
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): <mail address> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Requesting a certificate for <FQDN> Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/<FQDN>/fullchain.pem Key is saved at: /etc/letsencrypt/live/<FQDN>/privkey.pem This certificate expires on 2022-10-14. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
Success when displaye ""Successfully received certificate"
# The following certificate is obtained under [/etc/letsencrypt/live/<FQDN>/] as described in the message
# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ File containing cert.pem and chain.pem combined
# privkey.pem ⇒ private key
2. Web Server SSL
2.1 SSL Settings
|
1 2 3 |
# a2enmod ssl # a2enmod -l actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout php7 |
|
1 2 3 |
# vi /etc/apache2/listen.conf ●Line 17:Uncomment Listen 443 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# vi /etc/apache2/vhosts.d/default-ssl.conf ● Create new <VirtualHost *:443> DocumentRoot "/srv/www/htdocs/[Web site directory]" SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/letsencrypt/live/<FQDN>/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/<FQDN>/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/<FQDN>/chain.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> </VirtualHost> |
|
1 |
# systemctl restart apache2 |
2.2 Redirect HTTP communications to HTTPS
To redirect all HTTP communications to HTTPS, enter the following in each virtualhost setting.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /etc/apache2/vhosts.d/virtual_host.conf <VirtualHost *:80> ServerName <FQDN> ServerAdmin <Email address> DocumentRoot /srv/www/htdocs/<FQDN> ErrorLog /var/log/apache2/<FQDN>.error.log CustomLog /var/log/apache2/<FQDN>.access.log combined LogLevel warn RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> |
|
1 2 3 |
# a2enmod rewrite # a2enmod -l actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout cgid php7 version rewrite |
|
1 2 3 4 |
# firewall-cmd --add-service=https --permanent success # firewall-cmd --reload success |