Examples of getting certificates from Let's Encrypt working on Apache, NGINX and Node.js servers.
I chose to use the manual method, you have to make a file available to verify you own the domain. Follow the commands from running
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --manual --email admin@example.com -d example.com
This creates a directory: /etc/letsencrypt/live/example.com/
containing certificate files:
- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('/etc/letsencrypt/live/example.com/privkey.pem'),
cert: fs.readFileSync('/etc/letsencrypt/live/example.com/cert.pem'),
ca: fs.readFileSync('/etc/letsencrypt/live/example.com/chain.pem')
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.end("hello world\n");
}).listen(8000);
LoadModule ssl_module libexec/apache2/mod_ssl.so
Listen 443
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/example.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/example.com/chain.pem"
</VirtualHost>
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}
I just switched from nginx to apache under direction from my boss (I cringed at the notion... but was easier done than said). Apparently it's straight forward to update your letsencrypt.
To prepare Apache properly for SSL follow this tutorial for centos 7 here:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7
The tutorial feels vague, but there are just a couple of relevant parts you need to do beforehand. I did it ass backwards until I realised I was a total numpty.
Create your vhosts for port 80 for all your domains, start your server and then run sudo certbot --apache and follow the questions. Letsencrypt creates your ssl conf files for you where-ever they may reside such as in /etc/httpd/sites-enabled. It even injects a re-direct to your VirtualHost *80 files. So you need to keep those enabled.