Certbot with Apache: Difference between revisions
| (7 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
===Environment Used to Test=== | ===Environment Used to Test=== | ||
CentOS 7 with Apache 2.4 | CentOS 7 with Apache 2.4. | ||
===Objective(s)=== | ===Objective(s)=== | ||
To never have to buy an SSL certificate for a web site ever again. And as if that weren't enough, to also never have to worry about renewing the certificate either. Sound too good to be true? Well a group of people decided to do something that essentially makes that possible. | To never have to buy an SSL certificate for a web site ever again. And as if that weren't enough, to also never have to worry about renewing the certificate either. Sound too good to be true? Well a group of people decided to do something that essentially makes that possible. Thank you, thank you, thank you... | ||
== | ==Certbot Installation & Configuration== | ||
===Install Certbot=== | ===Install Certbot=== | ||
To install Certbot, type the following command;<syntaxhighlight lang="text"> | To install Certbot, type the following command;<syntaxhighlight lang="text"> | ||
yum install certbot python2-certbot-apache | yum install certbot python2-certbot-apache | ||
OR | |||
dnf install certbot | |||
...remember, in the Linux world things change over time and it also varies depending on the Linux distribution. If the above doesn't work for you, research it. It should be equivalently simple. Maybe start with: dnf search certbot | |||
Below is an example of extra packages, beyond the necessities, to choose from one may or may not need, depending on circumstances; | |||
python-certbot-dns-cloudxns-doc | |||
python-certbot-dns-dnsimple-doc | |||
python3-certbot-apache | |||
python3-certbot-dns-cloudflare | |||
python3-certbot-dns-cloudxns | |||
python3-certbot-dns-digitalocean | |||
python3-certbot-dns-dnsimple | |||
python3-certbot-dns-dnsmadeeasy | |||
python3-certbot-dns-gehirn | |||
python3-certbot-dns-linode | |||
python3-certbot-dns-luadns | |||
python3-certbot-dns-nsone | |||
python3-certbot-dns-ovh | |||
python3-certbot-dns-rfc2136 | |||
python3-certbot-dns-route53 | |||
python3-certbot-dns-sakuracloud | |||
python3-certbot-nginx | |||
</syntaxhighlight>Please note my above described environment. I also had the prerequisite configuration changes for yum configured (and I have the test system configured such that I don't have to use the SUDO command). For more details on installing for a CentOS / Apache system, look [https://certbot.eff.org/lets-encrypt/centosrhel7-apache here]. | </syntaxhighlight>Please note my above described environment. I also had the prerequisite configuration changes for yum configured (and I have the test system configured such that I don't have to use the SUDO command). For more details on installing for a CentOS / Apache system, look [https://certbot.eff.org/lets-encrypt/centosrhel7-apache here]. | ||
| Line 20: | Line 46: | ||
===Obtaining a Certificate=== | ===Obtaining a Certificate=== | ||
Once Certbot is installed, it's crazy simple to obtain a certificate. As noted above, use this command;<syntaxhighlight lang="text"> | Once Certbot is installed, it's crazy simple to obtain a certificate. As noted above, use this command;<syntaxhighlight lang="text"> | ||
certbot --apache | certbot --apache (This command will make changes to the Apache configuration files) | ||
OR | OR | ||
certbot certonly | certbot certonly (Use this command if it is not desirable to have CertBot modify Apache configuration files) | ||
</syntaxhighlight>...and then follow the instructions. The first command will give one the choice of having Apache configuration files changed. The latter command only obtains a certification. Remember, this has to be done on the server that hosts the web site as Certbot and Let's Encrypt require a "challenge" to be answered correctly for a certificate to be obtained. The "challenge" question is a temporary file that certbot places in the directory of the web site (and deletes after the certificate is obtained) for the certificate issuing service to verify one is the owner of the web site. DNS is another method that can be used in the "challenge" process, but it is a bit more complex. | </syntaxhighlight>...and then follow the instructions. The first command will give one the choice of having Apache configuration files changed. The latter command only obtains a certification. Remember, this has to be done on the server that hosts the web site as Certbot and Let's Encrypt require a "challenge" to be answered correctly for a certificate to be obtained. The "challenge" question is a temporary file that certbot places in the directory of the web site (and deletes after the certificate is obtained) for the certificate issuing service to verify one is the owner of the web site. DNS is another method that can be used in the "challenge" process, but it is a bit more complex. | ||
Watch out for Certbot modifying the Apache configuration files, even if one declines the setting change in the "wizard / script". It creates it's own Apache configuration file (/etc/httpd/conf/httpd-le-ssl.conf) and adds an Include Directive in the httpd.conf file, so effectively it does change modify Apache settings even if it doesn't include a redirect in the HTTP section of a Virtual Server. If you want to avoid any chance of Certbot messing around with Apache | Watch out for Certbot modifying the Apache configuration files, even if one declines the setting change in the "wizard / script". It creates it's own Apache configuration file (/etc/httpd/conf/httpd-le-ssl.conf) and adds an Include Directive in the httpd.conf file, so effectively it does change modify Apache settings even if it doesn't include a redirect in the HTTP section of a Virtual Server. If you want to avoid any chance of Certbot messing around with Apache. | ||
===Enabling Automatic Certificate Renewal=== | ===Enabling Automatic Certificate Renewal=== | ||
| Line 40: | Line 66: | ||
I don't know how to categorize these next comments, and I don't want it to sound like I'm criticizing them. I suppose 'funny' might be the best category to put it in, so here goes... It took me several hours to read the documentation, experiment with things, and get a full grip on how everything worked. In the end, I realized that the above "Quick Start" instructions are all that are needed to make things work. | I don't know how to categorize these next comments, and I don't want it to sound like I'm criticizing them. I suppose 'funny' might be the best category to put it in, so here goes... It took me several hours to read the documentation, experiment with things, and get a full grip on how everything worked. In the end, I realized that the above "Quick Start" instructions are all that are needed to make things work. | ||
===Web Server Configuration=== | ==Apache, WordPress, etc. Configuration & Testing== | ||
===Apache Web Server Configuration=== | |||
The next step is to configure the Apache configuration files with the Certificates, SSL changes, etc. All of this can be done automatically with Certbot (not detailed in this article) or configured manually (as I prefer to do it). | The next step is to configure the Apache configuration files with the Certificates, SSL changes, etc. All of this can be done automatically with Certbot (not detailed in this article) or configured manually (as I prefer to do it). | ||
===WordPress Configuration=== | ===WordPress Configuration=== | ||
| Line 65: | Line 90: | ||
</syntaxhighlight>The last two lines in the above code eliminate the possibility of an administrator or other editor making a mistake (and logging in with HTTP instead of HTTPS) when they login. | </syntaxhighlight>The last two lines in the above code eliminate the possibility of an administrator or other editor making a mistake (and logging in with HTTP instead of HTTPS) when they login. | ||
WordPress makes it hard to switch from HTTP to HTTPS, so try this site to scan for issues: [https://www.whynopadlock.com/results/02d0cc06-1d61- https://www.whynopadlock.com/] | WordPress makes it hard to switch from HTTP to HTTPS, so try this site to scan for issues: [https://www.whynopadlock.com/results/02d0cc06-1d61- https://www.whynopadlock.com/]. Images (especially header images) can be problematic to change from HTTP to HTTPS, so plugins like this are useful: SSL Insecure Content Fixer (Please note, this plugin may produce a performance hit on websites). For a permanent fix, try a plugin named "Better Search Replace". As a precaution, make a backup of the WordPress database before changing anything with that plugin. A quick tip on using it: CTRL A does not work in the field selection for this plugin. Instead, select the first item, scroll to the bottom of the list, hold down the Shift Key and click the last item to select everything. | ||
===Testing=== | |||
At the end of the Certbot script when obtaining a certificate, it recommends this website to test the SSL: https://www.ssllabs.com/ssltest | |||
=== | ===Conclusions (thus far)=== | ||
All done... | All done... | ||
==Details== | ==Granular Details & Information== | ||
===Apache and Webroot Plugins=== | ===Apache and Webroot Plugins=== | ||
| Line 80: | Line 106: | ||
===Commands (Some are noted previously, but summarized here)=== | ===Commands (Some are noted previously, but summarized here)=== | ||
To install the certbot software (prerequisites [https://certbot.eff.org/lets-encrypt/centosrhel7-apache here]) : yum install certbot python2-certbot-apache | To install the certbot software (prerequisites [https://certbot.eff.org/lets-encrypt/centosrhel7-apache here])<span> </span>: yum install certbot python2-certbot-apache | ||
To view existing certificates: certbot certificates | To view existing certificates: certbot certificates | ||
| Line 119: | Line 145: | ||
It also adds an Include Statement to the /etc/http/conf/httpd.conf file (which references another file): Include /etc/httpd/conf/httpd-le-ssl.conf | It also adds an Include Statement to the /etc/http/conf/httpd.conf file (which references another file): Include /etc/httpd/conf/httpd-le-ssl.conf | ||
The /etc/httpd/conf/httpd-le-ssl.conf File includes the following | The /etc/httpd/conf/httpd-le-ssl.conf File includes whatever was in the Apache HTTP configuration file for the VirtualHost with SSL stuff added. The following as a typical example;<source lang="text"> | ||
<IfModule mod_ssl.c> | <IfModule mod_ssl.c> | ||
| Line 143: | Line 169: | ||
</IfModule> | </IfModule> | ||
</source> | </source> | ||
No changes were made to the /etc/httpd/conf.d/ssl.conf file. This makes sense, because the ssl.conf file is itself referenced as an Include in the httpd.conf file. | No changes were made to the /etc/httpd/conf.d/ssl.conf file. This makes sense, because the ssl.conf file is itself referenced as an Include in the httpd.conf file. However, if a web site is already configured with SSL, using a different source for an SSL certificate, the ssl.conf file is modified to reflect the path of the new certificates. | ||
==Other Thoughts== | ==Other Thoughts== | ||