Setting up Let's Encrypt on CentOS7 (Amazon Linux 2)
Katz Ueno
Posted on August 8, 2019
This notes explains how to install Let's Encrypt onto Amazon Linux 2 (Running a
PHP+MySQL CMS, concrete5).
I've tested on Amazon Linux 2. But it will probably works on any CentOS7 and RHLE7.
Step 0: Initial Set-up
Run my concrete5 Ansible script to set-up basic web server.
https://github.com/concrete5cojp/ansible-c5-ma
This script will install all necessary repo and middleware to run a PHP web application.
OR
Install epel repo.
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Then, make sure you finish configuring 80 port config and availabl already.
Using auto configuration
Step 1: Install Certbot
$ sudo yum install certbot python2-certbot-nginx # Nginx server
$ sudo yum install certbot python2-certbot-apache # Apache server
Step 2: Install Let's Encrypt Certificatte
sudo certbot
Step 3: Set-up cron to auto-renew
$ sudo vi /etc/crontab
# Let's Encrypt Renewal - Nginx
39 11,23 * * * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "systemctl restart nginx"
# Let's Encrypt Renewal - Apache
39 11,23 * * * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "service httpd restart"
Manual Method
Issue an certificate for the domain
$ sudo certbot certonly \
--manual \
--manual-public-ip-logging-ok \
-d EXAMPLE.com \
-d *.EXAMPLE.com \
-m nospam@EXAMPLE.com \
--agree-tos \
--debug
Get the full paths of key
Set web server config
Nginx Config
ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
Apache Config
SSLCertificateFile /etc/letsencrypt/live/DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/DOMAIN/chain.pem
SSLCACertificateFile /etc/letsencrypt/live/DOMAIN/fullchain.pem
Cron setting
$ sudo vi /etc/crontab
# Let's Encrypt Renewal
39 11,23 * * * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "service nginx reload -s"
When you failed
Clear all Let's Encrypt Setting
sudo rm -R /opt/eff.org/certbot
Make sure to set SSL on default-server (For Dynamic site with cache)
Even if you only need SSL access to additional virtual host server, you may want to set SSL settings on your default-server, so that when people tried to access your server via IP, it will return blank request.
It's important tactics to prevent cache poisoning if you use CMS such as WordPress or Concrete CMS.
If you've got the following error in Nginx error log and keep failing to access SSL, you didn't set proper 443 config on your Nginx's default-server config.
no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: ***.***.***.***, server: 0.0.0.0:443
server {
listen 80 default_server;
listen [::]:80;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2;
server_name EXAMPLE.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
charset utf-8;
access_log /var/log/nginx/dummy_access.log main;
error_log /var/log/nginx/dummy_error.log warn;
root /var/www/html;
ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
index index.html;
}
}
How to delete unused and/or old certificates
# Show which certificates are installed & get the certificate names to delete
$ sudo certbot certificates
# Delete the certificate
$ sudo certbot delete --cert-name example.com-0001
Reference
This one is good article.
http://nopipi.hatenablog.com/entry/2019/01/08/013654
https://higherhope.net/?p=2710
https://qiita.com/HeRo/items/f9eb8d8a08d4d5b63ee9
https://qiita.com/MysteriousMonky/items/f26316447c1ff390ce21
Posted on August 8, 2019
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 30, 2024
November 30, 2024