Rob's web

Home - Techniek - Computer - Servers - Httpserver - Apache - Let's enrypt

Let's enrypt

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used by more than 300 million websites, with the goal of all websites being secure and using HTTPS. The Internet Security Research Group (ISRG), the provider of the service, is a public benefit organization. Major sponsors include the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Cisco Systems, Facebook, Google Chrome, Internet Society, AWS, NGINX, and Bill and Melinda Gates Foundation. Other partners include the certificate authority IdenTrust, the University of Michigan (U-M), and the Linux Foundation.

Prerequisites

You will need:

1. An http-server set up by following the Initial server setup guide with a root user.
2. The domain witch you want to secure must be running in http mode via port 80.
3. A basic firewall configured with port 443 open.
4. Apache installed on the server with a virtual host configured. This tutorial will use /etc/httpd/conf/vhosts.d/www.example.com.conf as an example.
5. You should own or control the registered domain name that you wish to use the certificate with.
6. A DNS A Record that points your domain to the public IP address of your server. A DNS AAAA Record is optional. DNS A records are required because of how Let's Encrypt validates that you own the domain it is issuing a certificate for. For example, if you want to obtain a certificate for example.com, that domain must resolve to your server for the validation process to work. Our setup will use example.com and www.example.com as the domain names, both of which will require a valid DNS record.

We start with the vhost.con template. We remove the first virtualhost. The servername must be www.example.com.

Test the website with http. Than we add lets-encrypt.

1 Installing the Certbot Let's Encrypt Client

To use Let's Encrypt to obtain an SSL certificate, you first need to install Certbot and mod_ssl, an Apache module that provides support for SSL v3 encryption.

The certbot package is not available through the package manager by default. You will need to enable the EPEL repository to install Certbot.

# dnf install certbot

During the installation process you will be asked about importing a GPG key. This key will verify the authenticity of the package you are installing. To allow the installation to finish, accept the GPG key by typing y and pressing ENTER when prompted to do so.

With these services installed, you're now ready to run Certbot and fetch your certificates.

2 Obtaining a Certificate

Now that Certbot is installed, you can use it to request an SSL certificate for your domain.

Using the certbot Let's Encrypt client to generate the SSL Certificate for Apache automates many of the steps in the process. The client will automatically obtain and install a new SSL certificate that is valid for the domains you provide as parameters.

To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot command with:

# certbot --apache -d www.example.com

This runs certbot with the --apache plugin and specifies the domain to configure the certificate for with the -d flag. When this works not if you have more domains, you can use:

# certbot --apache

The program will present you with a step-by-step guide to customize your certificate options. It will ask you to provide an email address for lost key recovery and notices, and then prompt you to agree to the terms of service. If you did not specify your domains on the command line, you will be prompted for that as well. If your Virtual Host files do not specify the domain they serve explicitly using the ServerName directive, you will be asked to choose the virtual host file. In most cases, the default ssl.conf file will work.

You will also be able to choose between enabling both http and https access or forcing all requests to redirect to https. For better security, it is recommended to choose the option 2: Redirect if you do not have any special need to allow unencrypted connections. Select your choice then hit ENTER.

When the installation is successfully finished, you will see a message similar to this:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-08-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3 Cleaning up de vhost file

After installation the server might not run as we want and we have to cleanup the conf-file for the vhost.

Change it that it looks like below:

<VirtualHost *:80>
        ServerName www.example.com

        Redirect 301 / https://www.example.com
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@robshondenschool.nl
        ServerName www.example.com

        CustomLog /var/log/httpd/www.example.com-access_log combined
        ErrorLog /var/log/httpd/www.example.com-error_log
        DirectoryIndex index.html index.html.var index.php

        DocumentRoot /srv/www/vhosts/www.example.com/httpsdocs
        <Directory "/srv/www/vhosts/www.example.com/httpsdocs">
                Options +Indexes +FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>

        Include /etc/letsencrypt/options-ssl-apache.conf

        SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
        SLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem

</VirtualHost>

Test the webserver configuration with: httpd -t.

Check /etc/letsencrypt/options-ssl-apache.conf for correct settings.

# vi /etc/letsencrypt/options-ssl-apache.conf
SSLProtocol -all +TLSv1.2 +TLSv1.3

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

Restart the webserver with systemctl restart apache.

See vhosts on redirecting correctly.

4 Checking your Certificate Status

At this point, you can ensure that Certbot created your SSL certificate correctly by using the SSL Server Test from the cloud security company Qualys.

Open the following link in your preferred web browser, replacing example.com with your domain:

https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com

You will land on a page that immediately begins testing the SSL connection to your server:

5 Setting up auto renewal

Let's Encrypt certificates are valid for 90 days, but it's recommended that you renew the certificates every 60 days to allow a margin of error. Because of this, it is a best practice to automate this process to periodically check and renew the certificate.

First, let's examine the command that you will use to renew the certificate. The certbot Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. By using the --dry-run option, you can run a simulation of this task to test how renew works:

# certbot renew --dry-run

The output should look similar to this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
...

A practical way to ensure your certificates will not get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day.

Cron job

We will first create a file that will update the certificates.

# vi certbot

Insert the following text:

#!/usr/bin/bash

certbot renew

Move the file to the cron.weekly directory. Set the filemode to 755. The owner must be root.

Ones a week certbot checks if the certificates need to be renewd and if so it performs renewal.

Links

• How to install Let's Encrypt with Apache on CentOS 7
• How to create Let's Encrypt wildcard certificates with certbot
• Adding a wildcard Let’s Encrypt certificate to your server without a web server