How to set up SSL certificate with Let's Encrypt

From Kolmisoft Wiki
Jump to navigationJump to search

About Let's Encrypt

Let's Encrypt provides free valid SSL certificates


Before proceeding

To proceed the following is needed:

  • Domain name pointed to switch IP (it is not possible to create a Let's Encrypt SSL certificate for IP address)
  • Email address to get notifications from Let's Encrypt
  • SSH access to the server with root privileges



Make sure that firewalls are not blocking the following domains used for the creation and update of certificates:

acme-v01.api.letsencrypt.org

acme-staging.api.letsencrypt.org

acme-v02.api.letsencrypt.org

acme-staging-v02.api.letsencrypt.org

Installation

In the example below let's assume that the domain name is example.com

Before installation, it is a good idea to backup /etc/httpd folder

cp -a /etc/httpd/ /usr/local/mor/backups/



Method 1 (using yum packages)

Based on this guide

Centos 7:

yum install certbot python2-certbot-apache mod_ssl

Rocky 9:

yum install certbot python3-certbot-apache mod_ssl

if installation is completed without errors, run certbot command (prepare to answer yes/no questions and enter the domain name(s) and email)

certbot --apache 


If the command is completed successfully, going to https://example.com/billing should show a secure connection

if everything is OK, test certificate renewal and install renewal cron

certbot renew --dry-run

If successful it should show at the end

Congratulations, all simulated renewals succeeded: 
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Create a cron to renew certificates automatically

#if US is blocked
echo "20 0,12 * * * root /usr/sbin/iptables -D MOR-BLOCKED-COUNTRIES -m set --match-set mor_us_ips src -j DROP && /usr/bin/certbot renew" > /etc/cron.d/certbot_renewal_cron
#if US is not blocked
echo "20 0,12 * * * root /usr/bin/certbot renew" > /etc/cron.d/certbot_renewal_cron
chmod 644 /etc/cron.d/certbot_renewal_cron
service crond restart

This will try to renew the certificate two times every day. Certbot will try to actually renew certificates once the expiration day will be less than 30 days


If you get an error:

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

That means there is a problem with <VirtualHost *:80> configuration in /etc/httpd/httpd.conf

Check with:

apachectl -t -D DUMP_VHOSTS


NOTE: this procedure overwrites /usr/lib/systemd/system/httpd.service

Check with:

grep -i private /usr/lib/systemd/system/httpd.service

If you see PrivateTmp=true and need false, do:

sed -i "s|PrivateTmp=true\+|PrivateTmp=false|g" /usr/lib/systemd/system/httpd.service
systemctl daemon-reload && systemctl restart httpd.service

If you get an error:

Deploying certificate
Could not install certificate
NEXT STEPS:
- The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name sswitch.key2pbx.ca
Could not reverse map the HTTPS VirtualHost to the original

Then create a file /etc/httpd/conf.d/mor-le-ssl.conf:

 <IfModule mod_ssl.c>
       <VirtualHost *:443>
           DocumentRoot /var/www/html
           <Directory /var/www/html>
               Allow from all
           </Directory>
           RailsBaseURI /billing
           <Directory /var/www/html/billing>
               Options -MultiViews
          </Directory>
          RackEnv production
          PassengerDefaultUser apache
          PassengerDefaultGroup apache
ServerName change to your domain
SSLCertificateFile /etc/letsencrypt/live/change to your domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/change to your domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/change to your domain/chain.pem
</VirtualHost>
</IfModule>

Run certificate renewal again to make sure there are no errors.





Method 2 (using snap management system)

To streamline the install process across different Linux Distributions, the Let's Encrypt official guide use snapd management system

If you want to use snaps, please use this guide:

https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html

Using this installation method, automatic renewal will be configured automatically (it will be systemd timer, not a simple cron)

systemctl list-timers 
NEXT                         LEFT       LAST                         PASSED               UNIT                         ACTIVATES
Tr 2021-10-06 12:42:00 CEST  41min left Tr 2021-10-06 05:11:01 CEST  6h ago               snap.certbot.renew.timer     snap.certbot.renew.service



Logs

Let's encrypt log

 /var/log/letsencrypt/letsencrypt.log



Accessing switch without /billing suffix

Follow the guide here

Use https instead of http and domain names instead of 127.0.0.1