Certbot with Apache: Difference between revisions
No edit summary |
No edit summary |
||
| Line 7: | Line 7: | ||
=== Objective(s) === | === Objective(s) === | ||
To never have to buy an SSL certificate for a web site ever again. And as if that weren't enough, to also never have to worry about renewing the certificated. Sound too good to be true? Well a group of people decided to do something that essentially makes that possible. | To never have to buy an SSL certificate for a web site ever again. And as if that weren't enough, to also never have to worry about renewing the certificated. Sound too good to be true? Well a group of people decided to do something that essentially makes that possible. | ||
=== Obtaining a Certificate === | |||
Once Certbot is installed, it's crazy simple to obtain a certificate. As noted above, type: certbot --apache (and then follow the instructions) Remember, this has to be done on the server that hosts the web site as Certbot and Let's Encrypt require a "challenge" to be answered correctly for a certificate to be obtained. The "challenge" question is a temporary file that certbot places in the directory of the web site (and deletes after the certificate is obtained) for the certificate issuing service to verify one is the owner of the web site. DNS is another method that can be used in the "challenge" process, but it is a bit more complex. | |||
===Apache and Webroot Plugins=== | |||
The Apache Plugin is used to configure Apache conf files. My preference is to not utilize this functionality as it never seems to get the settings quite right. Instead, I used it once on a test site, reviewed the settings and then modified my HTTPS settings manually. | |||
The Webroot Plugin is only used when initially obtaining a certificate | |||
===Commands=== | |||
To install the certbot software (prerequisites [https://certbot.eff.org/lets-encrypt/centosrhel7-apache here]) : yum install certbot python2-certbot-apache | |||
To view existing certificates: certbot certificates | |||
To obtain a certificate interactively (with an Apache web server): certbot --apache | |||
Simple Command Example (Automated): certbot certonly --webroot --webroot-path /var/www/html/WhatEverPath -d WhatEverWebSite | |||
===Technical Information about Certbot=== | ===Technical Information about Certbot=== | ||
| Line 25: | Line 42: | ||
certbot-renew.timer: Since the "renew service" doesn't run continuously, it needs to be triggered on a periodic basis, which is done by this service (Instead of a CRON task). By default in CentOS 7 it is not enabled by default. Webmin seems to have issues setting it to start automatically, so use this command: systemctl enable certbot-renew.timer The timing period can be changed via a configuration file or within Webmin. | certbot-renew.timer: Since the "renew service" doesn't run continuously, it needs to be triggered on a periodic basis, which is done by this service (Instead of a CRON task). By default in CentOS 7 it is not enabled by default. Webmin seems to have issues setting it to start automatically, so use this command: systemctl enable certbot-renew.timer The timing period can be changed via a configuration file or within Webmin. | ||
=== Results of Automatic Configuration with Apache Module === | === Results of Automatic Configuration with Apache Module === | ||
Revision as of 21:55, 17 January 2020
Introduction
Certbot is a utility that can be used to obtain, renew, manage, etc. SSL Certificates from Let's Encrypt. For installation, refer to: https://certbot.eff.org/
Environment Used to Test
CentOS 7 with Apache 2.4
Objective(s)
To never have to buy an SSL certificate for a web site ever again. And as if that weren't enough, to also never have to worry about renewing the certificated. Sound too good to be true? Well a group of people decided to do something that essentially makes that possible.
Obtaining a Certificate
Once Certbot is installed, it's crazy simple to obtain a certificate. As noted above, type: certbot --apache (and then follow the instructions) Remember, this has to be done on the server that hosts the web site as Certbot and Let's Encrypt require a "challenge" to be answered correctly for a certificate to be obtained. The "challenge" question is a temporary file that certbot places in the directory of the web site (and deletes after the certificate is obtained) for the certificate issuing service to verify one is the owner of the web site. DNS is another method that can be used in the "challenge" process, but it is a bit more complex.
Apache and Webroot Plugins
The Apache Plugin is used to configure Apache conf files. My preference is to not utilize this functionality as it never seems to get the settings quite right. Instead, I used it once on a test site, reviewed the settings and then modified my HTTPS settings manually.
The Webroot Plugin is only used when initially obtaining a certificate
Commands
To install the certbot software (prerequisites here) : yum install certbot python2-certbot-apache
To view existing certificates: certbot certificates
To obtain a certificate interactively (with an Apache web server): certbot --apache
Simple Command Example (Automated): certbot certonly --webroot --webroot-path /var/www/html/WhatEverPath -d WhatEverWebSite
Technical Information about Certbot
Location of Certificates: /etc/letsencrypt
Certbot Command Configuration File (if it exists): /etc/letsencrypt/cli.ini
Certbot Configuration Files for individual URLs: /etc/letsencrypt/renewal
Certbot Renewal Service Configuration File: /etc/sysconfig/certbot
Configuration File Certbot uses to modify Apache Files: /etc/letsencrypt/options-ssl-apache.conf
Certbot Binary File: /usr/bin/certbot
Certbot Services
certbot-renew.service: This isn't really a service in that it doesn't run all of the time. It's more like an pre-configured set of commands to renew all certificates that have been obtained via the certbot service.
certbot-renew.timer: Since the "renew service" doesn't run continuously, it needs to be triggered on a periodic basis, which is done by this service (Instead of a CRON task). By default in CentOS 7 it is not enabled by default. Webmin seems to have issues setting it to start automatically, so use this command: systemctl enable certbot-renew.timer The timing period can be changed via a configuration file or within Webmin.
Results of Automatic Configuration with Apache Module
The section of the /etc/http/conf/httpd.conf file with the directives (VirtualHost section, etc) specific to the web site the certificate applies to is modified by adding several items;
RewriteEngine on
RewriteCond %{SERVER_NAME} =WhateEverWebSiteName [OR]
RewriteCond %{SERVER_NAME} =WhateEverWebSiteName
RewriteRule ^ <nowiki>https://%{SERVER_NAME}%{REQUEST_URI}</nowiki> [END,NE,R=permanent]It also adds an Include Statement to the /etc/http/conf/httpd.conf file (which references another file): Include /etc/httpd/conf/httpd-le-ssl.conf
The /etc/httpd/conf/httpd-le-ssl.conf File includes the following (with a couple of carriage return, line feeds added to make it look neater);
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html/WhatEverWebSite
ServerName WhatEverWebSite
CustomLog "logs/WhatEverWebSite/www.Access.LOG" combinedio
<Directory "/var/www/html/WhatEverWebSite">
AllowOverride ALL
Require all granted
</Directory>
ServerAlias WhatEverWebSite
SSLCertificateFile /etc/letsencrypt/live/WhatEverWebSite/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/WhatEverWebSite/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/WhatEverWebSite/chain.pem
</VirtualHost>
</IfModule>No changes were made to the /etc/httpd/conf.d/ssl.conf file. This makes sense, because the ssl.conf file is itself referenced as an Include in the httpd.conf file.
Other Thoughts
The CERTBOT application is very thorough in the way it scans the httpd.conf and associated files and is very adept at identifying syntax errors in a configuration file. It catches errors like missing quotation marks that HTTPD doesn't get bent out of shape about.