dhon.manalo

"Any fool can write code that a computer can understand"

Baked with JBake v2.6.7
Theme by Mark Otto

Using LetsEncrypt with CentOS on Apache

24 February 2019

From letsencrypt.org:

To enable HTTPS on your website, you need to get a certificate from a Certificate Authority (CA). Let's Encrypt is a CA. In order to get a certificate for your website's domain from Let's Encrypt, you have to demonstrate control over the domain. With Let's Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.

You will need SSH access to your web host to install a certbot client. certbot will automate certificate issuance and installation with no downtime.

Install certbot

On my machine, it added more Python dependencies.

$ sudo yum install certbot python2-certbot-apache

Run certbot

$ sudo certbot certonly --manual --preferred-challenges=dns -d *.yourdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for yourdomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Add a TXT record to your DNS

This is part of the certbot script

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:

RandomTextFromCommandLine_AUywrQH1pxx88NTKG7OgUod

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Verify the TXT record

$ nslookup -type=TXT _acme-challenge.yourdomain.com
Server:		127.0.1.1
Address:	127.0.1.1#53

Non-authoritative answer:
_acme-challenge.yourdomain.com	text = "RandomTextFromCommandLine_AUywrQH1pxx88NTKG7OgUod"

Hit Enter to continue

Press Enter if you're seeing your TXT record. It might take a while for the TXT record to propagate. Please be patient.

Eventually the certificate will be issued and you should see something similar to this.

Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yourdomain.com/privkey.pem
   Your cert will expire on 2019-05-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le