DEV Community

Katz Ueno
Katz Ueno

Posted on • Edited on

Setting up Let's Encrypt on CentOS7 (Amazon Linux 2)

This notes explains how to install Let's Encrypt onto Amazon Linux 2 (Running a
PHP+MySQL CMS, concrete5).

I've tested on Amazon Linux 2. But it will probably works on any CentOS7 and RHLE7.

Step 0: Initial Set-up

Run my concrete5 Ansible script to set-up basic web server.
https://github.com/concrete5cojp/ansible-c5-ma

This script will install all necessary repo and middleware to run a PHP web application.

OR

Install epel repo.

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Enter fullscreen mode Exit fullscreen mode

Then, make sure you finish configuring 80 port config and availabl already.

Using auto configuration

Step 1: Install Certbot

$ sudo yum install certbot python2-certbot-nginx # Nginx server
$ sudo yum install certbot python2-certbot-apache # Apache server
Enter fullscreen mode Exit fullscreen mode

Step 2: Install Let's Encrypt Certificatte

sudo certbot
Enter fullscreen mode Exit fullscreen mode

Step 3: Set-up cron to auto-renew

$ sudo vi /etc/crontab
# Let's Encrypt Renewal - Nginx
39 11,23  *  *  * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "systemctl restart nginx"
# Let's Encrypt Renewal - Apache
39 11,23  *  *  * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "service httpd restart"
Enter fullscreen mode Exit fullscreen mode

Manual Method

Issue an certificate for the domain

$ sudo certbot certonly \
     --manual \
     --manual-public-ip-logging-ok \
     -d EXAMPLE.com \
     -d *.EXAMPLE.com \
     -m nospam@EXAMPLE.com \
     --agree-tos \
     --debug
Enter fullscreen mode Exit fullscreen mode

Get the full paths of key

Set web server config

Nginx Config

    ssl_certificate         /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
    include                 /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam             /etc/letsencrypt/ssl-dhparams.pem;
Enter fullscreen mode Exit fullscreen mode

Apache Config

SSLCertificateFile /etc/letsencrypt/live/DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/DOMAIN/chain.pem
SSLCACertificateFile /etc/letsencrypt/live/DOMAIN/fullchain.pem

Enter fullscreen mode Exit fullscreen mode

Cron setting

$ sudo vi /etc/crontab
# Let's Encrypt Renewal
39 11,23  *  *  * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "service nginx reload -s"
Enter fullscreen mode Exit fullscreen mode

When you failed

Clear all Let's Encrypt Setting

sudo rm -R /opt/eff.org/certbot

Enter fullscreen mode Exit fullscreen mode

Make sure to set SSL on default-server (For Dynamic site with cache)

Even if you only need SSL access to additional virtual host server, you may want to set SSL settings on your default-server, so that when people tried to access your server via IP, it will return blank request.

It's important tactics to prevent cache poisoning if you use CMS such as WordPress or Concrete CMS.

If you've got the following error in Nginx error log and keep failing to access SSL, you didn't set proper 443 config on your Nginx's default-server config.

no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: ***.***.***.***, server: 0.0.0.0:443
Enter fullscreen mode Exit fullscreen mode
server {
    listen       80 default_server;
    listen       [::]:80;
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2;

    server_name  EXAMPLE.com;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    charset      utf-8;

    access_log   /var/log/nginx/dummy_access.log main;
    error_log    /var/log/nginx/dummy_error.log warn;

    root         /var/www/html;

    ssl_certificate         /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
    include                 /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam             /etc/letsencrypt/ssl-dhparams.pem;


    location / {
        index  index.html;
    }
}
Enter fullscreen mode Exit fullscreen mode

How to delete unused and/or old certificates

# Show which certificates are installed & get the certificate names to delete
$ sudo certbot certificates

# Delete the certificate
$ sudo certbot delete --cert-name example.com-0001
Enter fullscreen mode Exit fullscreen mode

Reference

This one is good article.
http://nopipi.hatenablog.com/entry/2019/01/08/013654

https://higherhope.net/?p=2710

https://qiita.com/HeRo/items/f9eb8d8a08d4d5b63ee9

https://qiita.com/MysteriousMonky/items/f26316447c1ff390ce21

https://worklog.be/archives/3352

Top comments (1)

Collapse
 
dineshrathee12 profile image
Dinesh Rathee

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?

DevTo
[+] dev.to/dineshrathee12/letsencrypt-...

GitHub
[+] github.com/dineshrathee12/Let-s-En...

LetsEncryptCommunity
[+] community.letsencrypt.org/t/letsen...