How to configure Apache with Let’s Encrypt on CentOS 7

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install TLS/SSL certificates for free, enabling encrypted HTTPS on web servers.

Let’s Encrypt simplifies the process by providing a software client, Certbot, that attempts to automate most of the necessary steps. Currently, the whole process of obtaining and installing certificates is fully automated in Apache and Nginx.

We recommend that you test every tutorial or guide available on the Internet on a virtual machine (vmware or Virtualbox) before deploying to a production server, so as not to mess up the operating system when something goes wrong.

precondition

Make sure you meet the following prerequisites before proceeding with this tutorial:

  • You have a domain name that points to your public server’s IP address. In this tutorial we will use domains example.com.
  • Apache is already installed and running on your server.
  • You have an Apache virtual host for your domain.
  • Firewall setup with ports 80 and 443 open.

Install the following packages required for the SSL encrypted web server:

yum install mod_ssl openssl

Install Certbot

Certbot is a full-featured, easy-to-use tool that can automate the task of obtaining and renewing Let’s Encrypt SSL Certificates. Certbot will also manage all web server configurations so they can use the certificate directly.

If you do not have EPEL repository installed on your system, run the following command:

sudo yum install epel-release

Once the EPEL repository is enabled, install the certbot package by typing:

sudo yum install certbot

Create a Dh key exchange certificate (Diffie-Hellman)

Diffie-Hellman (DH) key exchange is a method of exchanging secure cryptographic keys over an insecure communication channel. We will create a new 2048-bit DH parameter to enhance security:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

If you are still paranoid, you can change the size up to 4096 bits, but in this case, the release may take more than 30 minutes depending on the processing capabilities of your system.

See also  How to install and configure Apache Tomcat on CentOS 7

Obtained Let’s Encrypt SSL certificate

To get the SSL certificate for the domain we will use the Webroot plugin which works by creating a temporary file to validate the required domain in the directory ${webroot-path}/.well-known/acme-challenge.

Let’s Encrypt server makes HTTP requests for temporary files to verify that the requested domain has completed data requests to the server where certbot is running.

To keep it simple, we will set all HTTP requests to .well-known/acme-challengeto a single directory, /var/lib/letsencrypt.

The following command will create a directory and make it writable by the Apache server.

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp apache /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

To avoid code duplication, create the following two snippets

sudo nano /etc/httpd/conf.d/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Save and close the above snippet, then create the following snippet again:

sudo nano /etc/httpd/conf.d/ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

The snippet above uses the recommended cipherli.st chipper, enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and implements some security-focused HTTP headers.

Reload the Apache configuration for the changes to take effect:

sudo systemctl reload httpd

Now you can run Certbot using the webroot plugin and get the SSL certificate file by typing the command:

sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

If the SSL certificate was obtained successfully, certbot will print the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-12-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The default version of Apache on CentOS 7 is version 2.4.6 which has no directive SSLOpenSSLConfCmd. This directive is only available in Apache 2.4.8 and is used for OpenSSL configuration parameters such as Diffie-Hellman (DH) key exchange.

See also  Fix initscripts conflicts with redhat-release-server-7.4-18.el7.x86_64

We’ll create a new merge file using the Let’s Encrypt SSL certificate and the DH file we created earlier. To do this, type:

cat /etc/letsencrypt/live/example.com/cert.pem /etc/ssl/certs/dhparam.pem >/etc/letsencrypt/live/example.com/cert.dh.pem

Now that everything is set up, edit the virtual host configuration for your domain as follows:

sudo nano /etc/httpd/conf.d/example.com.conf
<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  DocumentRoot /var/www/example.com/public_html
  ErrorLog /var/log/httpd/example.com-error.log
  CustomLog /var/log/httpd/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/cert.dh.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

  # Other Apache Configuration

</VirtualHost>

With the above configuration we force to always use connect https and redirect from version www to issue change www. Feel free to modify the above configuration according to your needs.

Restart the Apache service after completing the above virtual host setup:

sudo systemctl restart httpd

You can now open your website with https:// And you will see a green icon.

If you test your domain with SSL Labs Server Test, you will get an A+ score as shown below:

ssllabs test

How to auto-renew Let’s encrypt SSL certificates

Let’s Encrypt certificates are valid for 90 days. To automatically renew certificates before they expire, the certbot package creates a cronjob that runs twice a day and will automatically renew any certificate within 30 days before the certificate expires.

Run command crontab To create a new cronjob:

sudo crontab -e

Copy and paste the following line:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"

Save and close the file.

See also  How to install and configure Plex Media Server on CentOS 7

To test the update process, you can use the certbot command followed by a statement --dry-run :

sudo certbot renew --dry-run

If there are no errors, the test update was successful.

conclusion

In this tutorial, you can use the Let’s Encrypt client, certbot, to download an SSL certificate for your domain.

I also created Apache snippets to avoid code duplication and configured the Apache web server to use certificates.

At the end of the tutorial, I set up a cronjob to automatically renew the certificate.

Source link

About wahyuway

Check Also

How to install and configure Anaconda on CentOS 7

How to install and configure Anaconda on CentOS 7

Anaconda is the most popular machine learning and data science tool used in large scale …

Leave a Reply