Configuring Let’s Encrypt TLS Certificates


To totally unlock this section you need to Log-in

Let’s Encrypt® has revolutionized the way to obtain, install and use TLS/SSL certificates for websites and other services.

With its automated procedures and challenges, everyone can get free TLS/SSL certificates from Let’s Encrypt organization and install them in a matter of minutes, automatically.

What is a Certificate and why I need it for my website?

A public key or digital certificate (formerly called an SSL certificate) uses a public key and a private key to enable secure communication between a client program (web browser, email client, etc.) and a server over an encrypted SSL (secure socket layer) or TLS (transport layer security) connection. The certificate is used both to encrypt the initial stage of communication (secure key exchange) and to identify the server.

The certificate includes information about the key, information about the server identity, and the digital signature of the certificate issuer. If the issuer is trusted by the software that initiates the communication, and the signature is valid, then the key can be used to communicate securely with the server identified by the certificate.

Using a certificate is a good way to prevent “man-in-the-middle” attacks, in which someone in between you and the server you think you are talking to is able to insert their own (harmful) content.

Prerequisites

Ensure that you have met the following prerequisites before continuing with this tutorial:

  • Have a domain name pointing to your public server IP. In this tutorial we will use example.com.
  • Have Apache installed and running on your server.
  • Have Apache virtual host for your domain.
  • Have port 80 and 443 open in your firewall.

We will also assume that you:

  • Have basic command line skills.
  • Know what TLS/SSL is.
  • Have shell access (direct or SSH) to your web server.

Install the following packages (openssl and mod_ssl) which are required for an SSL encrypted web server (Apache and httpd):

yum install mod_ssl openssl

Updating the Firewall

If you have not done yet, remember that for Let's Encrypt it is needed to open specific ports to the web server to let certificates be delivered.

If you have a firewall enabled, make sure port 80 and 443 are open to incoming traffic. If you are not running a firewall, you can skip ahead.

If you have a firewalld firewall running, you can open these ports by typing:

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

If have an iptables firewall running, the commands you need to run are highly dependent on your current rule set. For a basic rule set, you can add HTTP and HTTPS access by typing:

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

We're now ready to run Certbot and fetch our certificates.

Install Certbot

Certbot is a tool that simplifies the process for obtaining SSL certificates from Let’s Encrypt and auto-enabling HTTPS on your server.

The certbot package is provided by EPEL. If the EPEL repository is not installed on your system (RedHat, CentOS, etc.) , you can install it using the following command:

sudo yum install epel-release

Once the EPEL repository is enabled, install the certbot package by typing:

sudo yum install certbot

Apache

Now you need to install the plugin associated with your web server, this step is only for CentOS 7. Certbot currently supports multiple plugins.

Install the following package:

$ sudo yum install certbot-apache

If your site is running the Apache web server, you can use the Certbot Apache plugin we installed earlier to automatically obtain and install your certificate:

$ sudo certbot --apache

The interactive procedure will guide you through all the information needed to sign the certificate. Optionally, if you have multiple virtual hosts/domains configured, Certbot will ask you to select the domains included in the new certificate.

NOTE: take note that Certbot and Let's Encrypt needs, to validate the domain you want to protect using SSL/TLS certificate, that the web server is exposed with at least port 80 on Internet to challenge the web site and the domain and to be sure that you are authoritative for the domain specified.

If you don’t trust Certbot to install your certificate automatically, you can generate the certificate only (and install it manually later) using the following command:

$ sudo cerbot --apache certonly

Here’s the output for a successful certificate issued:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/YOURSITE.TLD/fullchain.pem. Your cert will
   expire on DATE. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Generate Strong Dh (Diffie-Hellman) Group (Apache)

Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over an unsecured communication channel. Generate a new set of 2048 bit DH parameters to strengthen the security:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

You can change the size up to 4096 bits but in that case the generation may take more than 30 minutes depending on the system entropy.

CentOS 7 ships with Apache version 2.4.6 which does not include the SSLOpenSSLConfCmd directive. This directive is only available on Apache 2.4.8 and later and it is used for configuration of OpenSSL parameters such as Diffie–Hellman key exchange (DH).

We will have to create a new combined file using the Let’s Encrypt SSL certificate and the generated DH file. To do this, type:

cat /etc/letsencrypt/live/example.com/cert.pem /etc/ssl/certs/dhparam.pem >/etc/letsencrypt/live/example.com/cert.dh.pem

Now that everything is setup, edit your domain virtual host (Apache) configuration as follows:

/etc/httpd/conf.d/example.com.conf
<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  DocumentRoot /var/www/example.com/public_html
  ErrorLog /var/log/httpd/example.com-error.log
  CustomLog /var/log/httpd/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/cert.dh.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

  # Other Apache Configuration

</VirtualHost>

With the configuration above we are forcing HTTPS and redirecting from www to non www version. Fell free to adjusts the configuration according to your needs.

Restart the Apache service for changes to take effect:

sudo systemctl restart httpd

You can now open your website using https:// and you’ll notice a green lock icon.

Nginx

If your site is running the Nginx web server, you can use the Certbot Nginx plugin we installed earlier to automatically obtain and install your certificate:

$ sudo certbot --nginx

The interactive procedure will guide you through all the information needed to sign the certificate.

If you don’t trust Certbot to install your certificate automatically, you can generate the certificate only (and install it manually later) using the following command:

$ sudo cerbot --nginx certonly

Here’s the output for a successful certificate issued:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/YOURSITE.TLD/fullchain.pem. Your cert will
   expire on DATE. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Generate Strong Dh (Diffie-Hellman) Group (Nginx)

If you test your server using the SSL Labs Server Test now, it will only get a B grade due to weak Diffie-Hellman parameters. This effects the security of the initial key exchange between our server and its users. We can fix this by creating a new dhparam.pem file and adding it to our server block.

Create the file using openssl:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This will take a while, up to a few minutes. When it's done, open up the Nginx config file that contains your server block. In our example, it's the default config file:

sudo vi /etc/nginx/nginx.conf

Paste the following line anywhere within the server block:

/etc/nginx/nginx.conf
. . .
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Save the file and quit your editor, then verify the configuration:

sudo nginx -t

If you have no errors, reload Nginx:

sudo systemctl reload nginx

Your site is now more secure, and should receive an A rating.

Setting Up Auto Renewal

Let's Encrypt's certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. We'll need to set up a regularly run command to check for expiring certificates and renew them automatically.

Before actually setting up the auto renewal process, you may want to test the renewal with the following command:

$ sudo certbot renew --dry run

If the certificate is installed correctly and everything is in order, nearing the end you will get a message similar to this and you may proceed:

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/YOURSITE/fullchain.pem (success)

To run the renewal check daily, we will use cron, a standard system service for running periodic/scheduled jobs. We tell cron what to do by opening and editing a file called a crontab.

sudo crontab -e

Your text editor will open the default crontab which is an empty text file at this point. Paste in the following line, then save and close it:

crontab
. . .
15 3 * * * /usr/bin/certbot renew --quiet

The 15 3 * * * part of this line means "run the following command at 3:15 am, every day". You may choose any time.

The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. --quiet tells Certbot not to output information or wait for user input.

cron will now run this command daily. All installed certificates will be automatically renewed and reloaded when they have thirty days or less before they expire.