Presentation
It is now pretty easy to put in place a webserver using the https protocol through the Letsencrypt project.
Prerequisites
A webserver has to be running (Apache, Nginx, etc) on the port 80 with the firewall configuration allowing access through.
Installation Procedure
In the following tutorial, let’s assume that your website is called www.example.com and is located in the /var/www/html/example directory.
Several packages need to be installed:
# yum install -y git # cd /opt # git clone https://github.com/letsencrypt/letsencrypt # cd letsencrypt
Then, create a certificate for a website (here www.example.com):
# ./letsencrypt-auto certonly --webroot -w /var/www/html/example -d example.com \ -d www.example.com --email myemail@mail.com ... IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-08-18. To obtain a new version of the certificate in the future, simply run Certbot again. - If you lose your account credentials, you can recover through e-mails sent to myemail@mail.com. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Note: If you host several websites on the same domain don’t specify the domain (here example.com).
Change the firewall configuration to allow https:
# firewall-cmd --permanent --add-service=https # firewall-cmd --reload
Apache Configuration
Install the mod_ssl package if it is not already there:
# yum install -y mod_ssl
Edit the /etc/httpd/conf.d/ssl.conf file, search for the SSLCertificate string and replace as follows:
SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem SSLCACertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
In the same file, search for the ServerName string and replace as follows:
ServerName www.example.com:443
Again, search for the SSLProtocol string and replace as follows:
SSLProtocol all -SSLv2 -SSLv3
Search for the SSLCipherSuite string and replace as follows:
SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM \ EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 \ EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \ EECDH !ECDHE-RSA-DES-CBC3-SHA EDH+aRSA RSA+3DES \ !aNULL !eNULL !LOW !SEED !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
Check the validity of the configuration:
# httpd -t Syntax OK
Restart the Apache webserver:
# apachectl restart
If an error occurs, check the /var/log/httpd/error_log and /var/log/httpd/ssl_error_log files.
Check the virtual host configuration:
# httpd -D DUMP_VHOSTS VirtualHost configuration: *:443 www.example.com (/etc/httpd/conf.d/ssl.conf:56)
Nginx Configuration
Change the listen directive in your server block:
listen 443 http2 ssl;
Note: http2 is optional.
Add the certificate directives to your server block:
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
Specify the protocols and cyphers used:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:\ DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5:!kEDH;
Add a server block to redirect access to port 80 to port 443:
server { listen 80; server_name www.example.com; return 301 https://www.example.com$request_uri; }
Test the syntax correctness:
# nginx -t
Restart the Nginx server:
# systemctl restart nginx
If an error occurs, check the /var/log/nginx directory.
Time To Test
To test your new certificate, go to the ssllabs website and type the url of your website.
Similarly, the use of the HTTP/2 protocol can be tested through the Keycdn website.
If your website uses WordPress, there will be some additional WordPress configuration steps to migrate to HTTPS.
Certificate Renewal
Certificates are only valid for 90 days. That means you need to renew them regularly.
Automate this process is a good idea.
Create a file called /etc/letsencrypt/cli.ini and paste the following lines:
authenticator = webroot webroot-path = /opt/www/html/example server = https://acme-v01.api.letsencrypt.org/directory renew-by-default agree-tos email = mymail@mail.com
Create a script called /etc/letsencrypt/renew.sh and paste the following lines:
#!/bin/bash /root/.local/share/letsencrypt/bin/letsencrypt certonly \ -c /etc/letsencrypt/cli.ini -d www.example.com Uncomment this line if you use Apache #/bin/systemctl reload httpd Uncomment this line if you use Nginx #/bin/systemctl reload nginx
Give execution rights:
# chmod u+x /etc/letsencrypt/renew.sh
Put the script in the root crontab (1 execution per week):
47 5 * * 1 /etc/letsencrypt/renew.sh > /dev/null 2<&1
Additional Resources
The idroot.net website provides a tutorial showing How To Install Let’s Encrypt SSL With Nginx on CentOS 7.
Recent Comments