Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used by more than 300 million websites, with the goal of all websites being secure and using HTTPS. The Internet Security Research Group (ISRG), the provider of the service, is a public benefit organization. Major sponsors include the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Cisco Systems, Facebook, Google Chrome, Internet Society, AWS, NGINX, and Bill and Melinda Gates Foundation. Other partners include the certificate authority IdenTrust, the University of Michigan (U-M), and the Linux Foundation.
You will need:
We start with the vhost.con template. We remove the first virtualhost. The servername must be www.example.com.
Test the website with http. Than we add lets-encrypt.
To use Let's Encrypt to obtain an SSL certificate, you first need to install Certbot and mod_ssl, an Apache module that provides support for SSL v3 encryption.
The certbot package is not available through the package manager by default. You will need to enable the EPEL repository to install Certbot.
# dnf install certbot
During the installation process you will be asked about importing a GPG key. This key will verify the authenticity of the package you are installing. To allow the installation to finish, accept the GPG key by typing y and pressing ENTER when prompted to do so.
With these services installed, you're now ready to run Certbot and fetch your certificates.
Now that Certbot is installed, you can use it to request an SSL certificate for your domain.
Using the certbot Let's Encrypt client to generate the SSL Certificate for Apache automates many of the steps in the process. The client will automatically obtain and install a new SSL certificate that is valid for the domains you provide as parameters.
To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot command with:
# certbot --apache -d www.example.com
This runs certbot with the --apache plugin and specifies the domain to configure the certificate for with the -d flag. When this works not if you have more domains, you can use:
# certbot --apache
The program will present you with a step-by-step guide to customize your certificate options. It will ask you to provide an email address for lost key recovery and notices, and then prompt you to agree to the terms of service. If you did not specify your domains on the command line, you will be prompted for that as well. If your Virtual Host files do not specify the domain they serve explicitly using the ServerName directive, you will be asked to choose the virtual host file. In most cases, the default ssl.conf file will work.
You will also be able to choose between enabling both http and https access or forcing all requests to redirect to https. For better security, it is recommended to choose the option 2: Redirect if you do not have any special need to allow unencrypted connections. Select your choice then hit ENTER.
When the installation is successfully finished, you will see a message similar to this:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2019-08-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
After installation the server might not run as we want and we have to cleanup the conf-file for the vhost.
Change it that it looks like below:
<VirtualHost *:80> ServerName www.example.com Redirect 301 / https://www.example.com </VirtualHost> <VirtualHost *:443> ServerAdmin webmaster@robshondenschool.nl ServerName www.example.com CustomLog /var/log/httpd/www.example.com-access_log combined ErrorLog /var/log/httpd/www.example.com-error_log DirectoryIndex index.html index.html.var index.php DocumentRoot /srv/www/vhosts/www.example.com/httpsdocs <Directory "/srv/www/vhosts/www.example.com/httpsdocs"> Options +Indexes +FollowSymLinks AllowOverride All Require all granted </Directory> Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem SLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem </VirtualHost>
Test the webserver configuration with: httpd -t.
Check /etc/letsencrypt/options-ssl-apache.conf for correct settings.
# vi /etc/letsencrypt/options-ssl-apache.conf SSLProtocol -all +TLSv1.2 +TLSv1.3 Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Restart the webserver with systemctl restart apache.
See vhosts on redirecting correctly.
At this point, you can ensure that Certbot created your SSL certificate correctly by using the SSL Server Test from the cloud security company Qualys.
Open the following link in your preferred web browser, replacing example.com with your domain:
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
You will land on a page that immediately begins testing the SSL connection to your server:
Let's Encrypt certificates are valid for 90 days, but it's recommended that you renew the certificates every 60 days to allow a margin of error. Because of this, it is a best practice to automate this process to periodically check and renew the certificate.
First, let's examine the command that you will use to renew the certificate. The certbot Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. By using the --dry-run option, you can run a simulation of this task to test how renew works:
# certbot renew --dry-run
The output should look similar to this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator apache, Installer apache Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for example.com http-01 challenge for www.example.com Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-staging-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/example.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/example.com/fullchain.pem (success) ...
A practical way to ensure your certificates will not get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day.
We will first create a file that will update the certificates.
# vi certbot
Insert the following text:
#!/usr/bin/bash certbot renew
Move the file to the cron.weekly directory. Set the filemode to 755. The owner must be root.
Ones a week certbot checks if the certificates need to be renewd and if so it performs renewal.