How to Configure letsencrypt with Apache on Centos 7 Server

From Brian Nelson Ramblings
Revision as of 13:46, 19 December 2015 by Brian (Talk | contribs)

Jump to: navigation, search

How to Configure letsencrypt with Apache on Centos 7 Server

With all the talk about FREE ssl certificates and how Google is trying to move towards a more secure internet.

I thought it was time to setup an SSL Certificate with Letsencrypt on Centos 7

Install letsencrypt

Get everything using Git

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Now I must note this was done on a Fresh VPS with nothing else installed.

I did have to stop firewalld to get everything to function correctly.

systemctl stop firewalld

Generating the SSL Certificate

Now since I do not have apache or anything else installed yet, I did certificates only in standalone.

./letsencrypt-auto certonly --standalone --email [email protected] -d briansnelson.com -d www.briansnelson.com

You will get a notice that everything has been completed and where can find your ssl certificates

To view your ssl certificates

cd /etc/letsencrypt/live/www.briansnelson.com/
ls

Output:

cert.pem  chain.pem  fullchain.pem  privkey.pem

Clean up

Also do not forget to start the firewall backup

systemctl start firewalld

Install Apache and Configure to LetsEncrypt Certificates

Installing Apache with mod_ssl:

yum install httpd mod_ssl

Allow Port 80 and 443 via Firewalld

Allow the default HTTP and HTTPS port, ports 80 and 443, through firewalld:

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp

And reload the firewall:

firewall-cmd --reload

Configure Apache to Start on Boot

First start Apache

systemctl start httpd

Be sure Apache is set to start at Boot

systemctl enable httpd

Configure Apache to Use LetsEncrypt SSL Certificates

Edit the ssl.conf file

vim /etc/httpd/conf.d/ssl.conf

Find the following lines and set them with the correct values:

SSLCertificateFile    /etc/letsencrypt/live/briansnelson.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/briansnelson.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/briansnelson.com/fullchain.pem

I would also suggest making the following changes for better compliance:

SSLCipherSuite AES256+EECDH:AES256+EDH
SSLProtocol all -SSLv2 -SSLv3 -TLSv1