Certbot it’s an cool tool that automatically enable HTTPS on your website deploying Let’s Encrypt certificates.
How to
Centos not snap – not anymore supported
yum install certbot python3-certbot-apache mod_sslSnap install
yum remove certbot
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbotSee the official guide https://certbot.eff.org/lets-encrypt/centosrhel7-apache
To create the certificates
# First launch use always dry-run param
# certbot certonly --dry-run --webroot -w <path_of_htdocs> -d domain.tld -d sub.domain.tld
certbot certonly --webroot -w <path_of_htdocs> -d domain.tld -d sub.domain.tldYour certificates are deployed (usually) under /etc/letsencrypt/live/domain.tld/
- cert.pem is the certificate
- privkey.pem is the private key
- chain.pem is the certificate chain
- fullchain.pem is the full chain (it’s needed for postfix)
Then schedule a cron job to automatically launch the following renew.sh script
#!/bin/bash
# First launch use always dry run param
# certbot renew --dry-run
certbot renew
# Deploy the certificate
# I like to change the destination extentions in this way but... do whatever you prefer
cp /etc/letsencrypt/live/domain.tld/cert.pem /your_destination/server.crt
cp /etc/letsencrypt/live/domain.tld/privkey.pem /your_destination/server.key
cp /etc/letsencrypt/live/domain.tld/chain.pem /your_destination/server.chain
cp /etc/letsencrypt/live/domain.tld/fullchain.pem /your_destination/server.fullchainTest it
Using SSL LABS
https://www.ssllabs.com/ssltest/analyze.html?d=domain.tldUsing openssl tool
openssl s_client -showcerts -connect domain:port
# example res for let's encrypt certificate
# CONNECTED(00000003)
# depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
# verify return:1
# depth=1 C = US, O = Let's Encrypt, CN = R3
# verify return:1
# depth=0 CN = domain
# verify return:1
# [...]PS: remember to disable in your applications all weak protocols like TLS 1.0, TLS 1.1
Thanks to digitalocean.com
0 Comments