Difference between revisions of "How to Configure letsencrypt with Apache on Centos 7 Server"

From Brian Nelson Ramblings
Jump to: navigation, search
(Created page with "==How to Configure letsencrypt with Apache on Centos 7 Server== With all the talk about FREE ssl certificates and how Google is trying to move towards a more secure internet....")
 
Line 3: Line 3:
 
With all the talk about FREE ssl certificates and how Google is trying to move towards a more secure internet.  
 
With all the talk about FREE ssl certificates and how Google is trying to move towards a more secure internet.  
  
I thought it was time to setup an SSL Certificate with Letsencrypt on Centos 7
+
I thought it was time to setup an SSL Certificate with [https://letsencrypt.org/ Letsencrypt] on Centos 7
  
 
===Install letsencrypt===
 
===Install letsencrypt===
Line 40: Line 40:
  
 
  systemctl start firewalld
 
  systemctl start firewalld
 +
 +
===Install Apache and Configure to LetsEncrypt Certificates===
 +
 +
====Installing Apache with mod_ssl:====
 +
 +
yum install httpd mod_ssl
 +
 +
====Allow Port 80 and 443 via Firewalld====
 +
 +
Allow the default HTTP and HTTPS port, ports 80 and 443, through firewalld:
 +
 +
firewall-cmd --permanent --add-port=80/tcp
 +
firewall-cmd --permanent --add-port=443/tcp
 +
 +
And reload the firewall:
 +
 +
firewall-cmd --reload
 +
 +
====Configure Apache to Start on Boot====
 +
 +
First start Apache
 +
 +
systemctl start httpd
 +
 +
Be sure Apache is set to start at Boot
 +
 +
systemctl enable httpd
 +
 +
===Configure Apache to Use LetsEncrypt SSL Certificates===
 +
 +
Edit the ssl.conf file
 +
 +
vim /etc/httpd/conf.d/ssl.conf
 +
 +
Find the following lines and set them with the correct values:
 +
 +
SSLCertificateFile    /etc/letsencrypt/live/briansnelson.com/cert.pem
 +
SSLCertificateKeyFile /etc/letsencrypt/live/briansnelson.com/privkey.pem
 +
SSLCertificateChainFile /etc/letsencrypt/live/briansnelson.com/fullchain.pem
 +
 +
I would also suggest making the following changes for better compliance:
 +
 +
SSLCipherSuite AES256+EECDH:AES256+EDH
 +
 +
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Revision as of 13:46, 19 December 2015

How to Configure letsencrypt with Apache on Centos 7 Server

With all the talk about FREE ssl certificates and how Google is trying to move towards a more secure internet.

I thought it was time to setup an SSL Certificate with Letsencrypt on Centos 7

Install letsencrypt

Get everything using Git

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Now I must note this was done on a Fresh VPS with nothing else installed.

I did have to stop firewalld to get everything to function correctly.

systemctl stop firewalld

Generating the SSL Certificate

Now since I do not have apache or anything else installed yet, I did certificates only in standalone.

./letsencrypt-auto certonly --standalone --email briansnelson@gmail.com -d briansnelson.com -d www.briansnelson.com

You will get a notice that everything has been completed and where can find your ssl certificates

To view your ssl certificates

cd /etc/letsencrypt/live/www.briansnelson.com/
ls

Output:

cert.pem  chain.pem  fullchain.pem  privkey.pem

Clean up

Also do not forget to start the firewall backup

systemctl start firewalld

Install Apache and Configure to LetsEncrypt Certificates

Installing Apache with mod_ssl:

yum install httpd mod_ssl

Allow Port 80 and 443 via Firewalld

Allow the default HTTP and HTTPS port, ports 80 and 443, through firewalld:

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp

And reload the firewall:

firewall-cmd --reload

Configure Apache to Start on Boot

First start Apache

systemctl start httpd

Be sure Apache is set to start at Boot

systemctl enable httpd

Configure Apache to Use LetsEncrypt SSL Certificates

Edit the ssl.conf file

vim /etc/httpd/conf.d/ssl.conf

Find the following lines and set them with the correct values:

SSLCertificateFile    /etc/letsencrypt/live/briansnelson.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/briansnelson.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/briansnelson.com/fullchain.pem

I would also suggest making the following changes for better compliance:

SSLCipherSuite AES256+EECDH:AES256+EDH
SSLProtocol all -SSLv2 -SSLv3 -TLSv1