Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Letsencrypt installation
cd /etc/httpd
mkdir /etc/httpd/sites-available
mkdir /etc/httpd/sites-enabled

Append

IncludeOptional sites-enabled/*.conf

To vim /etc/httpd/conf/httpd.conf

Create vhost

/etc/httpd/sites-available/example.com.conf
<VirtualHost *:80>
	ServerName example.com
	ServerAlias www.example.com
	DocumentRoot /var/www/html
	ErrorLog /var/log/apache/example.com/error.log
</VirtualHost>

Enable vhost

ln -s /etc/httpd/sites-available/example.com.conf /etc/httpd/sites-enabled/example.com.conf

Comment #ServerName example.com:80 and ServerAlias www.example.com in /etc/httpd/conf/httpd.conf

Create logs folder:

mkdir -p /var/log/apache/example.com
apachectl configtest
systemctl restart httpd

Install certbot

yum install epel-release mod_ssl -y
yum install python-certbot-apache -y
certbot --apache -d example.com -d www.example.com

Remove the entire <VirtualHost> in /etc/httpd/conf.d/ssl.conf. (Keep a backup just in case.)

Autorenewal

crontab -e
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

Install git and bc

sudo apt-get install git bc

Install letsencrypt

git clone https://github.com/certbot/certbot.git /opt/letsencrypt

read more: https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491

mkdir /etc/nginx/snippets
vim /etc/nginx/snippets/letsencrypt-acme-challenge.conf

data:

location ^~ /.well-known/acme-challenge/ {
	default_type "text/plain";
	root         /tmp/letsencrypt;
}
location = /.well-known/acme-challenge/ {
	return 404;
}

Include include /etc/nginx/snippets/letsencrypt-acme-challenge.conf; to existing vhost config (inside server{} block)

Request certificate

mkdir -p /tmp/letsencrypt && sudo /opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/tmp/letsencrypt -d DOMAIN -d SUBDOMAIN

Create private key

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Edit nginx config

server {
	server_name example.com www.example.com
	listen 80;
	return 301 https://$host$request_uri;
}


server {
	listen 443 ssl;
	server_name example.com www.example.com;

	include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;

	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; 
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;

	ssl_stapling on;
	ssl_stapling_verify on;
	add_header Strict-Transport-Security max-age=15768000;

	root /usr/share/nginx/html;
	index index.html index.htm;

	location / {
		try_files $uri $uri/ =404;
	}
}

Add crontab task to auto-renew certificates

sudo crontab -e

With content

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew --post-hook "service nginx reload" >> /var/log/le-renew.log

Update Letsencrypt

cd /opt/letsencrypt
sudo git pull
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment