Skip to content

Instantly share code, notes, and snippets.

@CedricL46
Last active March 11, 2019 04:23
Show Gist options
  • Save CedricL46/9495f2d9204fbcb4f772e1fc2c94f22a to your computer and use it in GitHub Desktop.
Save CedricL46/9495f2d9204fbcb4f772e1fc2c94f22a to your computer and use it in GitHub Desktop.
#Install git and upgrade all packages
sudo yum update -y
sudo yum install git
#Get last available version of let's encrypt
git clone https://github.com/letsencrypt/letsencrypt.git
#result :
Cloning into 'letsencrypt'...
remote: Counting objects: 55232, done.
remote: Compressing objects: 100% (55/55), done.
remote: Total 55232 (delta 38), reused 38 (delta 31), pack-reused 55146
Receiving objects: 100% (55232/55232), 17.65 MiB | 4.14 MiB/s, done.
Resolving deltas: 100% (39848/39848), done.
#Adapt let's encrypt to recognize Amazon Linux 2 instance
#(Current version of let's encrypt doesn't do it automatically)
sudo vim /etc/issue
#Add a line with 'Amazon Linux'
#Current version of let's encrypt is looking for it and it is missing in Amazon Linux 2 :
\S
Kernel \r on an \m
Amazon Linux
#Generate a certificate for your domain :
cd letsencrypt/
sudo ./certbot-auto certonly --debug --webroot -w /var/www/html -d YOURDOMAIN.com -d www.YOURDOMAIN.com
#It will ask for a couple informations and then print :
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/YOURDOMAIN.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/YOURDOMAIN.com/privkey.pem
Your cert will expire on DATE. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
#Update httpd ssl conf with certificate infos :
sudo vim /etc/httpd/conf.d/ssl.conf
#look for SSLProtocol (?SSLProtocol) and modify it as follow
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
## Replace SSLCipherSuite line per :
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
## Replace SSLCertificateFile per your certificate :
SSLCertificateFile /etc/letsencrypt/live/YOURDOMAIN.com/cert.pem
## Same logic for SSLCertificateKeyFile and SSLCertificateChainFile
SSLCertificateKeyFile /etc/letsencrypt/live/YOURDOMAIN.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOURDOMAIN.com/chain.pem
#Bounce your apache server :
sudo service httpd restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment