wiki.TerraBase.info

Certbot with Apache

Revision as of 20:39, 17 January 2020 by Root (talk | contribs)

Introduction

Certbot is a utility that can be used to obtain, renew, manage, etc. SSL Certificates from Let's Encrypt. For installation, refer to: https://certbot.eff.org/

Environment Used to Test

CentOS 7 with Apache 2.4

Technical Information about Certbot

Location of Certificates: /etc/letsencrypt

Certbot Command Configuration File (if it exists): /etc/letsencrypt/cli.ini

Certbot Configuration Files for individual URLs: /etc/letsencrypt/renewal

Certbot Renewal Service Configuration File: /etc/sysconfig/certbot

Configuration File Certbot uses to modify Apache Files: /etc/letsencrypt/options-ssl-apache.conf

Certbot Binary File: /usr/bin/certbot

Certbot Services

certbot-renew.service: This isn't really a service in that it doesn't run all of the time. It's more like an preconfigured set of commands to renew all certificates

certbot-renew.timer: Since the "renew service" doesn't run continuously, it needs to be triggered on a periodic basis, which is done by this service (Instead of a CRON task). By default in CentOS 7 it is not enabled by default. Webmin seems to have issues setting it to start automatically, so use this command: systemctl enable certbot-renew.timer The timing period can be changed via a configuration file or within Webmin.

Apache and Webroot Plugins

The Apache Plugin is used to configure Apache conf files. My preference is to not utilize this functionality as it never seems to get the settings quite right. Instead, I used it once on a test site, reviewed the settings and then modified my HTTPS settings manually.

The Webroot Plugin is only used when initially obtaining a certificate

Commands

To view existing certificates: certbot certificates

To obtain a certificate interactively (with an Apache web server): certbot --apache

Simple Command Example (Automated): certbot certonly --webroot --webroot-path /var/www/html/WhatEverPath -d WhatEverWebSite

Both of the above examples will do the following;

  • Modifies the /etc/http/conf/httpd.conf file by adding several items with several "Rewrites" to the VirtualHost section for the web site;
RewriteEngine on
RewriteCond %{SERVER_NAME} =WhateEverWebSiteName [OR]
RewriteCond %{SERVER_NAME} =WhateEverWebSiteName
RewriteRule ^ <nowiki>https://%{SERVER_NAME}%{REQUEST_URI}</nowiki> [END,NE,R=permanent]
  • an Include: Include /etc/httpd/conf/httpd-le-ssl.conf

Include /etc/httpd/conf/httpd-le-ssl.conf

<IfModule mod_ssl.c>

<VirtualHost *:443>

     DocumentRoot /var/www/html/WhatEverWebSite
     ServerName WhatEverWebSite
     CustomLog "logs/WhatEverWebSite/www.Access.LOG" combinedio

<Directory "/var/www/html/WhatEverWebSite">
     AllowOverride ALL
     Require all granted
</Directory>

ServerAlias WhatEverWebSite
SSLCertificateFile /etc/letsencrypt/live/WhatEverWebSite/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/WhatEverWebSite/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/WhatEverWebSite/chain.pem

</VirtualHost>

</IfModule>

No changes were made to the /etc/httpd/conf.d/ssl.conf file

Final Thought: The CERTBOT application is thorough in the way it scans the httpd.conf and associated files. It caught a couple of missing quotation marks that HTTPD let slide.

Retrieved from "https://wiki.terrabase.info/index.php?title=Certbot_with_Apache&oldid=184"