Configuring free ssl certs with letsencrypt in centos

Using letsencrypt in centos requires a few modifications to your centos before you can run the letsencrypt client. The setup for vhosts in centos is different from the setup in debian based distros. This is how I modified my centos install to be able to use letsencrypt-auto so that I can use the free letsencrypt SSL certificates

Jump to the fix for wildcard cert renewals

modify vhost configurations

letsencrypt-auto can only work with one vhost setting per file, and it looks in /etc/httpd/sites-enabled for the vhost configurations. My centos setup had a directory called /etc/httpd/vhosts.conf.d which contained my vhost configurations.

Firstly we need to create /etc/httpd/sites-available and /etc/httpd/sites-enabled so that letsencrypt-auto can manage our vhosts.


mkdir /etc/httpd/sites-available
mkdir /etc/httpd/sites-enabled

Move your existing vhost configurations into /etc/httpd/sites-available so that your sites dont stop working


mv /path/to/vhosts/*.conf /etc/httpd/sites-available

Next, symlink your vhosts to the enabled-sites directory so that they are included when apache starts


find /etc/httpd/sites-available -name *.conf | \
while read filename \
do \
    ln -s "/etc/httpd/sites-available/$filename" "/etc/httpd/sites-emabled/$filename"
done

next, edit your httpd.conf, add in a line (or modify an existing line including the location of your vhost files) to enable the sites on startup – this is the debian way


Include sites-enabled/*.conf

Restart httpd to make sure it all still works (I dont think systemctl reload httpd.service works for this step -I didnt try it though)


systemctl restart httpd.service

We now have Centos configured in a way that will allow us to use letsencrypt-auto out-of-the-box!

Sources: digitalocean

Install letsencrypt

If you dont already have git installed, you’ll need it


yum install git

To install the letsencrypt client, clone it from git:


git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Fetch your first ssl certificate

You should now be ready to fetch certificates using the letsencrypt-auto client


/opt/letsencrypt/letsencrypt-auto --apache -d example.com

You can also install the certificate for subdomains at the same time


/opt/letsencrypt/letsencrypt-auto --apache -d example.com -d www.example.com -d static.example.com

The first time you run letsencrypt in centos the client will download and install dependenices, then it will present you with an ncurses UI with some options for you to pick from, including setting up a 301 redirect from a non-https to an https version of your site

If the client fails, it will give you reasons on the stdout – I had to separate my vhost files so that there was one configuration per file (I deleted the :443 section, left the :80 section and let the client generate the ssl version for me)

If the certificates install correctly, you’ll get something that looks like this:

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to user@example.com.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2016-04-21. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You arent done yet though – letsencrypt will have created a vhost file in the sites-enabled folder – its probably best to move this to the sites-available folder and symlink it back to the sites-enabled folder.

certificate renewal

Letsencrypt certificates expire after 90 days, so you hvae to setup renewal
The easiest way is with a cronjob.

Test the renewal with:


/opt/letsencrypt/letsencrypt-auto renew

You’ll get a message saying that your certificates arent due for renewal yet, thats ok, we just needed to see that the renewal found your existing certs.

Add the command to a cronjob (its recommended on the lets-encrypt site to try twice a day)


crontab -e

0 6,12 * * * /opt/letsencrypt/letsecrypt-auto renew

You now have letsencrypt in centos! next you’ll want to check the cypher-strenght of your new setup – I wrote a post about hardening ssl ciphers to help :D

The following instructions are for wildcard certs (supported as of mid-2018)

Wildcard certs are now supported, but if you are using cloudflare, there are some issues – DNS is the preferred way to authenticate your domain name with letsencrypt, but this has to be automated. If you use cloudflare, then you can get an API key, and letsencrypt will temporarily change your dns settings while authenticating with the CA when the renewal is happening.

Its a bit of a round-about process, but goes something like this:
1) do all the things from above first (if you already have working cert, or working wildcard cert, then skip this)
2) log in to cloudflare and grab an API key
Save it in a text file somewhere (I know, not ideal, but so far there isn’t any other way)


dns_cloudflare_email = bob@example.com
dns_cloudflare_api_key = 1234567890
3) run this to get your first * cert

/opt/eff.org/certbot/venv/bin/pip -q install certbot-dns-cloudflare
/opt/letsencrypt/certbot-auto --dns-cloudflare --dns-cloudflare-credentials /path/to/letsencrypt-text-file -d *.example.com --preferred-challenges dns-01 certonly --server https://acme-v02.api.letsencrypt.org/directory
This will work great, until you try to renew.
You'll then get the following errors:
unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.
This is because certbot updates itself each time it runs and nukes out the cloudflare dns plugin :|
the workaround I'm using is to make a little script with the following:
#!/bin/sh
/opt/letsencrypt/certbot-auto --version
/opt/eff.org/certbot/venv/bin/pip -q install certbot-dns-cloudflare
/opt/letsencrypt/certbot-auto renew >> /var/log/le-renew.log
and run that from your crontabs
- the script does the following:
1) run certbot with a --version flag - if certbot sees that it its out of date, it will self-update
2) reinstall the cloudflare-dns plugin (if certbot self-updated, then it looses all previous plugin info)
3) renew the certs that we have.