After you have your site in place, but https traffic is not enabled, you shall follow the next steps to generate free certificate from https://letsencrypt.org/ :
1. Install and enable proper EPEL
cd /tmp
wget -O epel.rpm –nv https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install -y ./epel.rpm
2. Install required certbot tool:
sudo yum install python2-certbot-apache.noarch
3. Use following command to install first certificate with certbot:
sudo certbot -i apache -a manual --preferred-challenges dns -d easybiny.com
Note: At some point, you are prompted to deploy a DNS TXT record with the name “_acme-challenge.easybiny.com” with the supplied value.
If using AWS Route53, this is fairly simple by adding another TXT record with proper value.
Before going forward, please make sure the value was properly propagated:
nslookup
set ty=txt
>_acme-challenge.easybiny.com
4. Optional security step:
Edit the file
vi /etc/letsencrypt/options-ssl-apache.conf
Look for the line beginning with SSLProtocol and change it to the following - this is to prevent TLS 1.2 from being used:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
5. Restart Apache:
service httpd restart
6. Make sure port 443 is inbound enabled at AWS SecurityGroup Level.
Note: To renew certificate or add a new one (e.g. for subdomain like stage.easybiny.com), following commnad is to be used:
certbot certonly --webroot -w /var/www/html/easybiny/stage -d stage.easybiny.com
Important: If Basic Auth is enabled for the site, you will need to temporary disable it for the certificate renewal to succeed.
No comments:
Post a Comment