Install the use of Let's Encrypt SSL certificate for the website on CentOS 7

Install the Let's Encrypt client

For the CentOS release, there are currently two ways to install the Let's Encrypt client, one is to directly install yum from the upstream EPEL source, one is to download from the GitHub source of Let's Encrypt. The water view page uses the second method below, which can be downloaded from GitHub.

Two installation methods
Simple comparison:

YUM installation can follow system updates to update the installation package. However, the installation process is very simple because apache does not automatically install the certificate.
Git is also easy to install. apache plug-ins are available, but they need to be updated separately. In addition, you must have configured an SSL certificate for the VM ).
Currently, the letsencrypt installation package has been installed in the EPEL source, but the installation package has not yet integrated Apache components. This means that the client can only obtain the certificate and cannot automatically install the certificate for the website (in fact, the installation certificate is to modify the virtual host configuration file, replace the path pointing to the security certificate with the obtained Let's Encrypt CA certificate ).

However, this Apache plug-in already exists in the GitHub source of Let's Encrypt. Therefore, we have two solutions: obtain the Let's Encrypt client on GitHub, then automatically obtain and install the certificate, and directly install the letsencrypt package from the EPEL source, only obtain the certificate and install the certificate manually.

It is inconvenient to use letsencrypt that does not contain the apache plug-in. Because letsencrypt does not have the Apache plug-in, you can only obtain the certificate in certonly or standalone mode. Because the obtained certificate needs to be verified immediately, that is, to verify the consistency between the applied certificate and the corresponding domain name, because the certificate cannot be automatically installed, therefore, you need to place the certificate obtained in certonly mode in the website root directory of the corresponding VM so that the Let's Encrypt verification server can access it. This directory is a hidden directory starting with "." in Linux. You need to set the Apache server to allow access to the contents in the hidden directory. It seems quite troublesome. Standalone mode seems to be more troublesome. You may need to suspend the service on the VM. Because of these problems, the Let's Encrypt client on GitHub is selected on the water view page to reduce the trouble (it comes with executable files without compilation and installation ).

Note: after the client is used to obtain and install the certificate, it will automatically restart the Apache service for a very short time to make the certificate take effect!

Install LET's ENCRYPT from EPEL

Since it is an integrated installation package, it is very simple (in fact, the following method is also very simple, but it cannot be upgraded through YUM ). At present, the EPEL official source has integrated the installation package of Let's Encrypt. If the EPEL source is used in the system, install YUM directly. However, it is not troublesome to install the EPEL source again.

# Yum install epel-release
# Yum install letsencrypt
Run,

# Letsencrypt -- help
You can view help. You can also see the prompt that the Apache plug-in has not yet been integrated. This means that the client can only obtain the certificate and cannot automatically install the certificate for the website.

You can try to use the apache component to obtain the certificate and install it. Run,

# Letsencrypt -- apache-d 111cn.net-d www.111cn.net-d test.111cn.net
The requested apache plugin does not appear to be installed

No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually
GIT installation
Install the server dependent components,

# Yum install epel-release
# Yum install git
Then download the Let's Encrypt client, that is, copy all the files from the source from GitHub,

# Git clone https://github.com/letsencrypt/letsencrypt/opt/letsencrypt
The last directory in the preceding command indicates saving the program to the local/opt/letsencrypt folder.

To update the client, use the following command to update it,

# Cd/opt/letsencrypt
# Sudo git pull
Of course, you can also add this command to the script to automatically update the certificate to be introduced below.

Adjust the VM configuration file

First, run the client to obtain the certificate, and some preparation work is required. To use apache to automatically install the certificate plug-in, you must meet the following requirements,

You must have configured an SSL certificate for the VM ). If you need to install a self-issued certificate, you can refer to this article on the water aspect page.
You need a separate Apache configuration file (. conf file) for the VM ).
If the configuration file is not separated like a page in the water view, you can modify the configuration file as follows. If the SSL configuration file of the server contains several virtual hosts, an error will be prompted during letsencrypt running,

"We were unable to find a vhost with ServerName or Address of 111cn.net
Then let you select a valid configuration file.

Assume that the configuration file of the VM on the original server is in the vhostssl. conf file.

Create a folder,

Mkdir/etc/httpd/sites-available
Mkdir/etc/httpd/sites-enabled
Each virtual host in the vhostssl. conf file uses a separate configuration file for SSL, such as 111cn.net-ssl. conf and test.111cn.net-ssl. conf, and stores them in the sites-available folder. Delete the corresponding content in the vhostssl. conf file.

Then, establish a soft connection to the configuration file of the host to be enabled to the sites-enabled folder, for example, 111cn.net,

Ln-s/etc/httpd/sites-available/111cn.net-ssl. conf/etc/httpd/sites-enabled/111cn.net-ssl. conf
The advantage is that if you do not need 111cn.net-ssl. conf, you can directly delete the entry in the sites-enabled folder, and the original configuration file is retained as a backup in sites-available.

Then add the following line of command in vhostssl. conf to load all the VM configuration files in the sites-enabled folder at Apache startup,

IncludeOptional sites-enabled/*. conf
Well, for versions earlier than Apache 2.4, you should use,

Include sites-enabled/*. conf
After the certificate is ready, you can go to the letsencrypt installation directory to obtain and enable the certificate.

Obtain and install certificates

Letsencrypt installed in git is used as an example.

Enter the letsencrypt folder, for example,

# Cd/opt/letsencrypt
Run the following command,

#./Letsencrypt -- apache-d 111cn.net-d www.111cn.net-d test.111cn.net
-- Apache indicates that the certificate is installed using the apache plug-in. Each domain name that requires the certificate to be installed is following a-d. For the primary domain name, for example, 111cn.net, we usually use www.111cn.net as its alias to apply for a certificate at the same time. That is to say, it should contain at least the first two of the above three domain names. You can also separately apply for certificates, for example,

First,

#./Letsencrypt -- apache-d 111cn.net-d www.111cn.net
And then execute,

#./Letsencrypt -- apache-d test.111cn.net
The first running will automatically install some necessary software packages, including python-related content. The download volume is about 20-30 MB. Then the certificate is automatically obtained and installed.

As mentioned above, the apache plug-in can only process one configuration file for a single virtual host. For example, the three domain names mentioned here correspond to two virtual hosts, and 111cn.net and www.111cn.net correspond to the master site. test.111cn.net is another independent website. The vhost configuration files of the two virtual hosts must be written into two independent files, for example, 111cn.net-ssl. conf and test.111cn.net-ssl. conf. Otherwise, an error is triggered, causing a failure. The error is similar,

The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError ('There has been an error in parsing the file (% s): % s', U'/etc/httpd/conf. d/vhost. conf ', u'syntax error '),)
Of course, you can modify the VM configuration file and run it again. Next we will discuss the correct path.

Then, the system prompts you to enter the email address of the management account. Then, agree to the agreement. It's easy, except for entering the email address, the rest is the one-way Enter.

1. email for recovery of account credentials
2. Agrement
The applied certificate is saved in the/etc/letsencrypt/live/folder.

Regularly update certificates

Note: The following is a description based on git installation. If yum is used for installation, adjust the letsencrypt command as needed.

Let's Encrypt certificates are valid for 90 days. However, because the process is fully automated, it will not cause much trouble. The official note emphasizes that all certificates can be issued in 60 days, so as to leave some time to cope with emergencies.

For automatic update scripts, it is recommended that you run the script once a day at a random time of the day to avoid specific network conditions, server congestion, and other problems during each update, this avoids the possibility of failure to obtain a new certificate for multiple consecutive days.

The command for automatic renewal is,

#./Letsencrypt-auto renew
This command automatically updates all certificates obtained through this method on the server.

The official website provides an automatic update script as an example. The following is an automatic renewal script for the apache plug-in. Assume that the installation location is/opt/letsencrypt according to the preceding conditions.

#! /Bin/sh
If! /Opt/letsencrypt-auto renew>/var/log/letsencrypt/renew. log 2> & 1; then
Echo Automated renewal failed:
Cat/var/log/letsencrypt/renew. log
Exit 1
Fi
Save it as a le-renew.sh file and you can run it regularly through cron.

The following is an automated script used on the first page of the scenario. A command with an automatic delay of several minutes is added to prevent updates at a specific time, if the update fails, ie will automatically send an email notification to the specified email address.

#! /Bin/sh
# Https://111cn.net/
# Automatically update the letsencrypt client
Cd/opt/letsencrypt
Git pull

# Random delay in minutes
Sleep $ [($ RANDOM % 10) + 1] m
# Automatically renew the Let's Encrypt certificate
Cd/opt/letsencrypt
If! ./Letsencrypt-auto renew>/var/log/letsencrypt/renew. log 2> & 1; then
Echo Automated renewal failed: | mail-s "LE renew failed" your@email.com
Cat/var/log/letsencrypt/renew. log
Exit 1
Fi
Run the script directly before setting automatic execution to see if there are any errors and whether they have achieved the expected results.

To set the script to run automatically, for example, execute the script at five o'clock every morning, directly modify the crontab file as the root user, and add the following line at the end of the script and save it,

0 5 * root sh/path/to/le-renew.sh>/dev/null 2> & 1
Note the path to change to le-renew.sh: D