Seven Minute Server

May 4, 2017 - 4 minute read - Security

Installing an SSL cert on your server with CentOS/Apache 2.4/Let's Encrypt

Using Let’s Encrypt is so easy, there’s no excuse not to do it…the only drawback is that certificates expire after three months, but they’ll email to give you a heads-up when it gets close to time to switch ‘em up…and it really is simple (and free!) to get them issued.

Here’s a run-through of how to use Certbot to install a Let’s Encrypt SSL certificate on an Amazon Linux image:

  1. SSH into your web server.

  2. Download certbot:

    wget https://dl.eff.org/certbot-auto
    
  3. Make certbot-auto executable:

    chmod 700 certbot-auto
    
  4. Run certbot (use --debug if you’re using the Amazon AMI) with the --apache flag.

    sudo ./certbot-auto --debug --apache
    
  5. When prompted to install dependencies, type y.

  6. When prompted provide an email address for renewal, enter your email address.

  7. Read and agree to the Terms of Service and type A and press Enter if you agree.

  8. If willing to share your email address with EFF, type it in and press Enter.

  9. Certbot will search your configuration file for virtual hosts that contain ServerName directives. This may be broken for Apache 2.4 on CentOS, because it does not find the /etc/httpd/conf/httpd.conf file or the ServerName directives you’ve added there. This is probably just as well as Certbot doesn’t support multiple VirtualHosts and you don’t want a script mucking about in your carefully-crafted httpd.conf anyway; you can move the info from ssl.conf into your httpd.conf later if you like.

  10. If Certbot doesn’t find your config files and domain names successfully, you’ll be prompted to type in your names. Type in your domain name (if multiple, separate with a space or comma) and press Enter.

    No names were found in your configuration files. Please enter in your domain
    name(s)(comma and/or space separated) (Enter 'c' to cancel):
    **yourdomain.com**
    
  11. Certbot will perform a challenge to ensure you are running it from the domain; this will fail if your web server isn’t running and/or web ports aren’t open. You can either enable them quickly enough for the challenge to succeed, or just cancel and rerun once you’ve opened them.

    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for yourdomain.com
    
  12. In my case, Certbot wasn’t able to find my virtual host entry (enhancement request for Certbot: Let us enter our configuration directory! :), so it gave me the option to put the configuration in ssl.conf (/etc/httpd/conf.d/conf). Type 1 to assent and press Enter.

    We were unable to find a vhost with a ServerName or Address of
      yourdomain.com.
    Which virtual host would you like to choose?
    (note: conf files with multiple vhosts are not yet supported)
    ---------------------------------------------------------------------------
    1: ssl.conf                       |                       | HTTPS | Enabled
    ---------------------------------------------------------------------------
    Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
    
  13. Certbot then generates the server’s private and public key pair, generates a certificate signing request, sends it over to Let’s Encrypt, and returns the certificate.

    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
    
  14. If we’re running the same version I am, you’ll get asked again where to put your configuration info, type 1 to choose ssl.conf and press Enter.

    We were unable to find a vhost with a ServerName or Address of
      yourdomain.com.
    Which virtual host would you like to choose?
    (note: conf files with multiple vhosts are not yet supported)
    ---------------------------------------------------------------------------
    1: ssl.conf                       |                       | HTTPS | Enabled
    ---------------------------------------------------------------------------
    Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
    
  15. Certbot will copy the keys and update ssl.conf with a configured default VirtualHost container that specifies SSL options and certificate location.

    Deploying Certificate for 7minuteserver.com to VirtualHost
    /etc/httpd/conf.d/ssl.conf
    
  16. You’ll be prompted to choose whether HTTPS access is optional (1) or required (2) — depending on what you choose here, Certbot will configure the VirtualHosts in ssl.conf accordingly (in my case, I’m already redirecting port 80 traffic to 443, but chose 2 anyway; didn’t seem to break anything).

    Please choose whether HTTPS access is required or optional.
    -------------------------------------------------------------
    1: Easy - Allow both HTTP and HTTPS access to these sites
    2: Secure - Make all requests redirect to secure HTTPS access
    -------------------------------------------------------------
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
    
  17. You’re all done! Open your site in a browser using https://mydomain/ and check your certificate. Then, you can check your configuration at https://www.ssllabs.com/ssltest/analyze.html. Make a few more tweaks and you may find your goofy blog gets a better grade than your bank… 0_o