How to set up SSL certificate with Let's Encrypt
About Let's Encrypt
Let's Encrypt provides free valid SSL certificates
Before proceeding
To proceed the following is needed:
- Domain name pointed to switch IP (it is not possible to create a Let's Encrypt SSL certificate for IP address)
- Email address to get notifications from Let's Encrypt
- SSH access to the server with root privileges
Make sure that firewalls are not blocking the following domains used for the creation and update of certificates:
acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org
Installation
In the example below let's assume that the domain name is example.com
Before installation, it is a good idea to backup /etc/httpd folder
cp -a /etc/httpd/ /usr/local/mor/backups/
Method 1 (using yum packages)
Based on this guide
Centos 7:
yum install certbot python2-certbot-apache mod_ssl
Rocky 9:
yum install certbot python3-certbot-apache mod_ssl
if installation is completed without errors, run certbot command (prepare to answer yes/no questions and enter the domain name(s) and email)
certbot --apache
If the command is completed successfully, going to https://example.com/billing should show a secure connection
if everything is OK, test certificate renewal and install renewal cron
certbot renew --dry-run
If successful it should show at the end
Congratulations, all simulated renewals succeeded: Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/example.com/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a cron to renew certificates automatically
#if US is blocked echo "20 0,12 * * * root /usr/sbin/iptables -D MOR-BLOCKED-COUNTRIES -m set --match-set mor_us_ips src -j DROP && /usr/bin/certbot renew" > /etc/cron.d/certbot_renewal_cron #if US is not blocked echo "20 0,12 * * * root /usr/bin/certbot renew" > /etc/cron.d/certbot_renewal_cron chmod 644 /etc/cron.d/certbot_renewal_cron service crond restart
This will try to renew the certificate two times every day. Certbot will try to actually renew certificates once the expiration day will be less than 30 days
If you get an error:
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
That means there is a problem with <VirtualHost *:80> configuration in /etc/httpd/httpd.conf
Check with:
apachectl -t -D DUMP_VHOSTS
NOTE: this procedure overwrites /usr/lib/systemd/system/httpd.service
Check with:
grep -i private /usr/lib/systemd/system/httpd.service
If you see PrivateTmp=true and need false, do:
sed -i "s|PrivateTmp=true\+|PrivateTmp=false|g" /usr/lib/systemd/system/httpd.service systemctl daemon-reload && systemctl restart httpd.service
If you get an error:
Deploying certificate Could not install certificate NEXT STEPS: - The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running: certbot install --cert-name sswitch.key2pbx.ca Could not reverse map the HTTPS VirtualHost to the original
Then create a file /etc/httpd/conf.d/mor-le-ssl.conf:
<IfModule mod_ssl.c> <VirtualHost *:443> DocumentRoot /var/www/html <Directory /var/www/html> Allow from all </Directory> RailsBaseURI /billing <Directory /var/www/html/billing> Options -MultiViews </Directory> RackEnv production PassengerDefaultUser apache PassengerDefaultGroup apache ServerName change to your domain SSLCertificateFile /etc/letsencrypt/live/change to your domain/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/change to your domain/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/change to your domain/chain.pem </VirtualHost> </IfModule>
Run certificate renewal again to make sure there are no errors.
Method 2 (using snap management system)
To streamline the install process across different Linux Distributions, the Let's Encrypt official guide use snapd management system
If you want to use snaps, please use this guide:
https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html
Using this installation method, automatic renewal will be configured automatically (it will be systemd timer, not a simple cron)
systemctl list-timers NEXT LEFT LAST PASSED UNIT ACTIVATES Tr 2021-10-06 12:42:00 CEST 41min left Tr 2021-10-06 05:11:01 CEST 6h ago snap.certbot.renew.timer snap.certbot.renew.service
Logs
Let's encrypt log
/var/log/letsencrypt/letsencrypt.log
Accessing switch without /billing suffix
Follow the guide here
Use https instead of http and domain names instead of 127.0.0.1