Last active
March 11, 2019 04:23
-
-
Save CedricL46/9495f2d9204fbcb4f772e1fc2c94f22a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Install git and upgrade all packages | |
sudo yum update -y | |
sudo yum install git | |
#Get last available version of let's encrypt | |
git clone https://github.com/letsencrypt/letsencrypt.git | |
#result : | |
Cloning into 'letsencrypt'... | |
remote: Counting objects: 55232, done. | |
remote: Compressing objects: 100% (55/55), done. | |
remote: Total 55232 (delta 38), reused 38 (delta 31), pack-reused 55146 | |
Receiving objects: 100% (55232/55232), 17.65 MiB | 4.14 MiB/s, done. | |
Resolving deltas: 100% (39848/39848), done. | |
#Adapt let's encrypt to recognize Amazon Linux 2 instance | |
#(Current version of let's encrypt doesn't do it automatically) | |
sudo vim /etc/issue | |
#Add a line with 'Amazon Linux' | |
#Current version of let's encrypt is looking for it and it is missing in Amazon Linux 2 : | |
\S | |
Kernel \r on an \m | |
Amazon Linux | |
#Generate a certificate for your domain : | |
cd letsencrypt/ | |
sudo ./certbot-auto certonly --debug --webroot -w /var/www/html -d YOURDOMAIN.com -d www.YOURDOMAIN.com | |
#It will ask for a couple informations and then print : | |
IMPORTANT NOTES: | |
- Congratulations! Your certificate and chain have been saved at: | |
/etc/letsencrypt/live/YOURDOMAIN.com/fullchain.pem | |
Your key file has been saved at: | |
/etc/letsencrypt/live/YOURDOMAIN.com/privkey.pem | |
Your cert will expire on DATE. To obtain a new or tweaked | |
version of this certificate in the future, simply run certbot-auto | |
again. To non-interactively renew *all* of your certificates, run | |
"certbot-auto renew" | |
- Your account credentials have been saved in your Certbot | |
configuration directory at /etc/letsencrypt. You should make a | |
secure backup of this folder now. This configuration directory will | |
also contain certificates and private keys obtained by Certbot so | |
making regular backups of this folder is ideal. | |
- If you like Certbot, please consider supporting our work by: | |
#Update httpd ssl conf with certificate infos : | |
sudo vim /etc/httpd/conf.d/ssl.conf | |
#look for SSLProtocol (?SSLProtocol) and modify it as follow | |
# SSL Protocol support: | |
# List the enable protocol levels with which clients will be able to | |
# connect. Disable SSLv2 access by default: | |
SSLProtocol all -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 | |
## Replace SSLCipherSuite line per : | |
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | |
SSLHonorCipherOrder on | |
## Replace SSLCertificateFile per your certificate : | |
SSLCertificateFile /etc/letsencrypt/live/YOURDOMAIN.com/cert.pem | |
## Same logic for SSLCertificateKeyFile and SSLCertificateChainFile | |
SSLCertificateKeyFile /etc/letsencrypt/live/YOURDOMAIN.com/privkey.pem | |
SSLCertificateChainFile /etc/letsencrypt/live/YOURDOMAIN.com/chain.pem | |
#Bounce your apache server : | |
sudo service httpd restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment