How to Secure Apache with Let’s Encrypt on CentOS 6

Robert Andresen Programming, Tutorials Leave a Comment

Install the Let’s Encrypt client

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt

I didn’t have git installed, so I just downloaded it from Github and added it under /opt/letsencrypt on the server.

 

So to the Centos 6 “fix”

You’ll need to run the client in Pyhon 2.7.

$ yum install centos-release-SCL
$ yum install python27

Your python version should still be 2.6.6.

$ python -V
Python 2.6.6

Run the client

$ scl enable python27 “/opt/letsencrypt/letsencrypt-auto –apache -d mydomain.no”

While installing you will get a config screen where you enter your mail and select the virtual host. As my Centos 6 apache does not have virtual host files like Centos7, the letsencrypt software only found default ssl.conf under /etc/httpd/conf.d/.

As I had my virtual hosts under /etc/httpd/conf/httpd.conf, i removed the created virtual host under ssl.conf and added the necessary info in my /etc/httpd/conf/httpd.conf, like this:

Automate certificate renewal

Edit and add this to you /etc/crontab or crontab -e.

03 3 * * * root scl enable python27 “/opt/letsencrypt/letsencrypt-auto certonly –keep-until-expiring –agree-tos –quiet –webroot –webroot-path /var/www/webpage/mydomain.no -d mydomain.no”; /etc/init.d/httpd restart

Install additional certificates

I got this error message on http restart:
…so I had to add “NameVirtualHost *:443” above “Listen 443” in the /etc/httpd/conf.d/ssl.conf
 

Update 2016.05.21

If you try to add certificate on a webpage protected with username and password, with .htaccess – you’ll get an error like this. Let’s encrypt cannot read the file under .well-known, so you need to temporary disable the .htaccess security by moving or renaming the file, while doing the let’s encrypt process.

 

Update 2016.08.21

Auto certificate renewal didn’t work as planned. Haven’t had the time to debug it yet, but got them renewed with:

scl enable python27 “/opt/letsencrypt/letsencrypt-auto renew”

I tried to specify domain, but got an error that domain cannot be specified by renewal.

Command with full feedback:

When auto-renew doesn’t work?

The renew command worked for all of my sub-domains, but not mydomain.no. When i checked the changed time in /etc/letsencrypt/live/mydomain.no, the date was 3 months old (only on that domain). Still browser gives an expired message and the command tells me that the domain is not up for renewal yet.

The I used this command:

This gave me this window, and is still telling me that I have a certificate that isn’t close to expiry:

letsencrypt_run

I selected number 2 “Renew & replace the cert…”.

This gave me first an error:

Then:

And it looks like it worked! Yey!

 

 

Sources: