August 27, 2017

Tutorial Install Let’s Encrypt Centos7

Tutorial Install Let’s Encrypt Centos7 – Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG), more info. In this Tutorial we will install Let’s Encrypt in Centos7 by combining Tengine web server.

Tutorial Install Let’s Encrypt Centos7

Before starting we need to install some software for compile package needs.

Note : Assume you have successfully installed web server on your server, if not already installed, you can follow this tutorial How to Install Tengine, php7 and MariaDB on Centos 7.

[root@TengineC7 ~]# yum install bc
1. Download or Clone Free Let’s Encrypt SSL Certificate
[root@TengineC7 ~]# cd /opt
[root@TengineC7 opt]# git clone https://github.com/letsencrypt/letsencrypt

2. Generate a Free Let’s Encrypt SSL Certificate for Nginx
[root@TengineC7 opt]# cd letsencrypt/
[root@TengineC7 letsencrypt]# ./letsencrypt-auto certonly –standalone -d mydomain.com -d www.mydomain.com
(wait for the process a bit longer)
————————————————————

Complete!
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): myemail@gmail.com

——————————————————————————-
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
——————————————————————————-
(A)gree/(C)ancel: A

——————————————————————————-
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
——————————————————————————-
(Y)es/(N)o: Y
————————————————————
If you have error like this :
————————————————————
Failed authorization procedure. mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused

IMPORTANT NOTES:
– The following errors were reported by the server:

Domain: mydomain.com
Type: connection
Detail: Connection refused

To fix these errors, Please enabled/allowed port 443 in your server
————————————————————

[root@TengineC7 letsencrypt]# ./letsencrypt-auto certonly –standalone -d mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.com
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.com/privkey.pem
Your cert will expire on 2017-11-22. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run “letsencrypt-auto renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Install Let’s Encrypt SSL Certificate in Nginx

Install Let’s Encrypt SSL Certificate in Nginx
Now that you own a free SSL/TLS Certificate, it’s time to install it in Nginx webserver in order for your domain to use it.
All new SSL certificates are placed in /etc/letsencrypt/live/ under a directory named after your domain name. Use ls command to list the Certificate files issued for your domain and identify them.
[root@TengineC7 letsencrypt]# ls /etc/letsencrypt/live/
mydomain.com
[root@TengineC7 letsencrypt]# ls -al /etc/letsencrypt/live/mydomain.com/
total 4
drwxr-xr-x. 2 root root 93 Aug 24 07:07 .
drwx——. 3 root root 30 Aug 24 07:07 ..
lrwxrwxrwx. 1 root root 40 Aug 24 07:07 cert.pem -> ../../archive/mydomain.com/cert1.pem
lrwxrwxrwx. 1 root root 41 Aug 24 07:07 chain.pem -> ../../archive/mydomain.com/chain1.pem
lrwxrwxrwx. 1 root root 45 Aug 24 07:07 fullchain.pem -> ../../archive/mydomain.com/fullchain1.pem
lrwxrwxrwx. 1 root root 43 Aug 24 07:07 privkey.pem -> ../../archive/mydomain.com/privkey1.pem
-rw-r–r–. 1 root root 543 Aug 24 07:07 README
[root@TengineC7 letsencrypt]#
[root@TengineC7 letsencrypt]# mkdir /etc/letsencrypt/ssl
[root@TengineC7 letsencrypt]# cd /etc/letsencrypt/ssl/
[root@TengineC7 ssl]# openssl dhparam -out dhparams.pem 4096

To install the certificate files in Nginx and enable SSL, open /etc/nginx/nginx.conf or etc/nginx/domain.com.conf file (in my configuration : /usr/local/nginx/conf/domains/mydomain.com.conf) for editing and add the below statements after the last listen line from server block.
[root@TengineC7 letsencrypt]# nano /usr/local/nginx/conf/domains/mydomain.com.conf
Add this line :
——————————————————————-
ssl on;
ssl_prefer_server_ciphers on;
listen 443 ssl default_server;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES25$
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl/dhparams.pem;
ssl_session_timeout 30m;
ssl_buffer_size 8k;
add_header Strict-Transport-Security max-age=31536000;
——————————————————————-
Replace the domain name string for SSL certificates to match your own domain.

11. Finally, restart Nginx service
[root@TengineC7 letsencrypt]# systemctl restart nginx
and visit your domain via HTTPS Protocol at https://mydomain.com the page should load smooth, without any certificate error.

Auto Renew Nginx Free Lets Encrypt SSL Certificates

[root@TengineC7 letsencrypt]# nano /usr/local/bin/cert-autorenew
Add following lines to cert-autorenew file.
——————————————————————-
#!/bin/bash
webpath=’/usr/www/mydomain.com/public_html/’
domain=$1
le_path=’/opt/letsencrypt’
le_conf=’/etc/letsencrypt’
exp_limit=30;
get_domain_list(){
certdomain=$1
config_file=”$le_conf/renewal/$certdomain.conf”
if [ ! -f $config_file ] ; then
echo “[ERROR] The config file for the certificate $certdomain was not found.”
exit 1;
fi
domains=$(grep –only-matching –perl-regex “(?<=domains \= ).*” “${config_file}”)
last_char=$(echo “${domains}” | awk ‘{print substr($0,length,1)}’)
if [ “${last_char}” = “,” ]; then
domains=$(echo “${domains}” |awk ‘{print substr($0, 1, length-1)}’)
fi
echo $domains;
}
if [ -z “$domain” ] ; then
echo “[ERROR] you must provide the domain name for the certificate renewal.”
exit 1;
fi
cert_file=”/etc/letsencrypt/live/$domain/fullchain.pem”
if [ ! -f $cert_file ]; then
echo “[ERROR] certificate file not found for domain $domain.”
exit 1;
fi
exp=$(date -d “`openssl x509 -in $cert_file -text -noout|grep “Not After”|cut -c 25-`” +%s)
datenow=$(date -d “now” +%s)
days_exp=$(echo $ $exp – $datenow $ / 86400 |bc)
echo “Checking expiration date for $domain…”
if [ “$days_exp” -gt “$exp_limit” ] ; then
echo “The certificate is up to date, no need for renewal ($days_exp days left).”
exit 0;
else
echo “The certificate for $domain is about to expire soon. Starting renewal request…”
domain_list=$( get_domain_list $domain )
“$le_path”/letsencrypt-auto certonly -a webroot –agree-tos –renew-by-default –webroot-path=”$webpath” –domains “${domain_list}”
echo “Reloading Nginx…”
sudo systemctl reload nginx
echo “Renewal process finished for domain $domain”
exit 0;
fi
——————————————————————-
[root@TengineC7 letsencrypt]# chmod +x /usr/local/bin/cert-autorenew
You can test the script against your domain by issuing the following command:
[root@TengineC7 letsencrypt]# /usr/local/bin/cert-autorenew mydomain.com

Finally, to run the certificate renewal process automatically, add a new cron job to execute the script every week in order update the certificate within 30 days before the expiration date.
[root@TengineC7 letsencrypt]# nano /etc/crontab
Add the following line at the bottom of the file
——————————————————————-
1 7 * * 1 /usr/local/bin/cert-renew mydomain.com >> /var/log/mydomain.com-renew.log 2>&1
——————————————————————-
Restart crond service
[root@TengineC7 letsencrypt]# systemctl restart crond

That’s all! Now web server can deliver secure web content with a free SSL/TLS Let’s Encrypt certificate on your website.