Installing Let’s Encrypt SSL on Centos 7

Leave a comment

September 11, 2019 by aubreykloppers

Get CN from SSL:
openssl x509 -noout -subject -in /etc/ssl/certs/localhost.crt


Create/Generate Self-Signed certificate:
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt -reqexts SAN -extensions SAN -subj ‘/CN=intranet.BOLD.COM‘ -config <(cat /etc/pki/tls/openssl.cnf; printf “[SAN]\nsubjectAltName=DNS:intranet.BOLD.COM“)


Install certbot:

  • yum install certbot python2-certbot-apache
  • certbot –apache

Create Virtual host:

  • mkdir /etc/httpd/sites-available
  • mkdir /etc/httpd/sites-enabled

vi /etc/httpd/conf/httpd.conf
### Add this line to the end of the file:
IncludeOptional sites-enabled/*.conf


Check your configuration with:

  • apachectl -S
    ### You should only have one 443 and one 80 VirtualHhost configuration!

vi /etc/httpd/conf.d/ssl.conf
## Remove everything from – to: (This will create 2 Virtual Hosts if you do not!)
<VirtualHost _default_:443>
</VirtualHost>


vi /etc/httpd/sites-available/intranet.BOLD.COM.conf
### ADD:
<VirtualHost *:80>

ServerName intranet.BOLD.COM
ServerAlias intranet.BOLD.COM
DocumentRoot /var/www/joomla
ErrorLog /var/www/logs/error.log
CustomLog /var/www/logs/requests.log combined
</VirtualHost>


ln -s /etc/httpd/sites-available/intranet.BOLD.COM.conf /etc/httpd/sites-enabled/intranet.BOLD.COM.conf


Generate and install the certificate:

[root@intranet ~]# certbot –apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: intranet.BOLD.COM
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for intranet.BOLD.COM
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/sites-available/intranet.BOLD.COM-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/intranet.BOLD.COM-le-ssl.conf
Enabling site /etc/httpd/sites-available/intranet.BOLD.COM-le-ssl.conf by adding Include to root configuration

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/httpd/sites-enabled/intranet.BOLD.COM.conf to ssl vhost in /etc/httpd/sites-available/intranet.BOLD.COM-le-ssl.conf

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Congratulations! You have successfully enabled
https://intranet.BOLD.COM

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=intranet.BOLD.COM
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/intranet.BOLD.COM/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/intranet.BOLD.COM/privkey.pem
Your cert will expire on 2019-12-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@intranet ~]#


 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: