Let's Encrypt SSL Certificates on CentOS 6.10
Have a NAS box (sort of the glue that keeps things together) that’s running old CentOS 6.10. (I guess I have until November of this year to upgrade it. That seemed so far away when I installed it, almost 9 (?!) years ago.) Anyway. Needed to install a non-self-signed SSL certificate, and being a stingy bastard, I wanted to use the Let’s Encrypt free option.. Easiest way I found was using the GetSSL BASH script (listed here: https://letsencrypt.org/docs/client-options).
I have a CNAME setup for the NAS (we'll call it 127001.fnord.org) that points to a dynamic DNS entry (we'll call it Azrael.Gargamel-DDNS.org).
# git clone https://github.com/srvrco/getssl.git
I have a CNAME setup for the NAS (we'll call it 127001.fnord.org) that points to a dynamic DNS entry (we'll call it Azrael.Gargamel-DDNS.org).
# git clone https://github.com/srvrco/getssl.git
# cd getssl
# ./getssl -c 127001.fnord.org
This creates configuration files /root/.getssl/getssl.cfg and /root/.getssl/127001.fnord.org/getssl.cfg
# mkdir /etc/lessl
# vim ~/.getssl/getssl.cfg
ACCOUNT_EMAIL="your@admin.address"
# vim ~/.getssl/127001.fnord.org/getssl.cfg
ACL=('/path/to/www/.well-known/acme-challenge')
DOMAIN_CERT_LOCATION="/etc/lessl/127001.fnord.org.crt" # this is domain cert
DOMAIN_KEY_LOCATION="/etc/lessl/127001.fnord.org.key" # this is domain key
CA_CERT_LOCATION="/etc/lessl/chain.crt" # this is CA cert
RELOAD_CMD="/sbin/service httpd restart"
("/path/to/www" is, obviously, the path to the DocumentRoot for the web server, often /var/httpd/html or something similar.)
I normally don’t have port 80 accessible to the world, but for this to work I had to port forward that from my router to the NAS box. The Let’s Encrypt scripts poll a file located at http://127001.fnord.org/.well-known/acme-challenge/<hash> and it must be remotely accessible. There are other mechanisms (FTP, SSH), but all seemed more trouble than they were worth.
# ./getssl 127001.fnord.org
SSLCertificateKeyFile /etc/lessl/127001.fnord.org.key
SSLCertificateChainFile /etc/lessl/chain.crt
Once everything’s working smoothly, edit ~/.getssl/127001.fnord.org/getssl.cfg and comment out the 'staging' CA line, and uncomment the 'production' line:
CA="https://acme-v02.api.letsencrypt.org"
Then force a refresh of the certificate:
# /root/getssl/getssl -u -q -f 127001.fnord.org
Finally, set the system up to automatically update the certificate when expired; this example runs every day at midnight, quietly, generating output only on an error or when a new certificate has been installed:
# crontab -e
0 0 * * * /root/getssl/getssl -u -q 127001.fnord.org
# ./getssl -c 127001.fnord.org
This creates configuration files /root/.getssl/getssl.cfg and /root/.getssl/127001.fnord.org/getssl.cfg
# mkdir /etc/lessl
# vim ~/.getssl/getssl.cfg
ACCOUNT_EMAIL="your@admin.address"
# vim ~/.getssl/127001.fnord.org/getssl.cfg
ACL=('/path/to/www/.well-known/acme-challenge')
DOMAIN_CERT_LOCATION="/etc/lessl/127001.fnord.org.crt" # this is domain cert
DOMAIN_KEY_LOCATION="/etc/lessl/127001.fnord.org.key" # this is domain key
CA_CERT_LOCATION="/etc/lessl/chain.crt" # this is CA cert
RELOAD_CMD="/sbin/service httpd restart"
("/path/to/www" is, obviously, the path to the DocumentRoot for the web server, often /var/httpd/html or something similar.)
I normally don’t have port 80 accessible to the world, but for this to work I had to port forward that from my router to the NAS box. The Let’s Encrypt scripts poll a file located at http://127001.fnord.org/.well-known/acme-challenge/<hash> and it must be remotely accessible. There are other mechanisms (FTP, SSH), but all seemed more trouble than they were worth.
# ./getssl 127001.fnord.org
This builds the certificate files and restarts Apache (but if you haven’t moved your SSL config to use the new certificates etc., you’ll get a message to that effect).
# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/lessl/127001.fnord.org.crtSSLCertificateKeyFile /etc/lessl/127001.fnord.org.key
SSLCertificateChainFile /etc/lessl/chain.crt
Once everything’s working smoothly, edit ~/.getssl/127001.fnord.org/getssl.cfg and comment out the 'staging' CA line, and uncomment the 'production' line:
CA="https://acme-v02.api.letsencrypt.org"
# /root/getssl/getssl -u -q -f 127001.fnord.org
Finally, set the system up to automatically update the certificate when expired; this example runs every day at midnight, quietly, generating output only on an error or when a new certificate has been installed:
# crontab -e
0 0 * * * /root/getssl/getssl -u -q 127001.fnord.org
Comments
Post a Comment