Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail

Although there are tools can automate the SSL cert renewal process for you, it’s always good to know how it works just in case you need to troubleshoot.

We will first see how it works step by step, then introduce a automated tool Certbot.

Step one: get your server ready

An Overview of Security-Related Packages

To enable the secure server, you must have the following packages installed at a minimum:
httpd
The httpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
mod_ssl
The mod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
openssl
The openssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.

User below command to install:

sudo yum install httpd mod_ssl openssl

Check that mod_ssl is properly installed:

# rpm -q mod_ssl
mod_ssl-2.4.6-80.el7.x86_64

And is loaded as a module into httpd server:

# apachectl -M | grep ssl
 ssl_module (shared)

The mod_ssl configuration file is sitting at: /etc/httpd/conf.d/ssl.conf. We need to enable Apache from reading configuration files here.

Note: Enable the Apache to load configuration file from conf.d, which is disabled by default on RHEL/CentOS.

Uncomment below in /etc/httpd/conf/httpd.conf to enable apache load the conf files:

IncludeOptional conf.d/*.conf

 

Step two: apply for the ssl certificate

Once you’ve got an approval of your certificate from the Certificate Authority (CA), you will have email, which will contain an encryption key valuables in hash algorithm such as;

-----BEGIN CERTIFICATE----- 
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF 
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw 
(.......) 
E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 
K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA 
-----END CERTIFICATE-----

Or you can apply free SSL from https://www.sslforfree.com/, which only valid for about 100 days but completely free.

Wildcard or not

For paid version, you can apply certificate which will effective for *.example.com, but for the free version from sslforfree.com, we need to apply two versions.

I will apply two copies of ssl certificate, one for www.example.com and one for example.com.

Now you have two copies of three files, certificate file certificate.crt, Private key file private.key, CA bundle file Ca_bundle.crt.

To confirm that you have applied for the correct domain name, use command below to get the CN name from certificate:

 

# openssl x509 -noout -text -in certificate.crt | grep CN

 

 

Step Three

Upload the files via FTP, then rename to CN_name.crt

Now, you’ll want to create below directories and store the cert files for www.example.com on the following directory, which you’re going to keep all your certificate files;

Example: /etc/httpd/conf/ssl.crt/ , /etc/httpd/conf/ssl.key, /etc/httpd/conf/ca-bundle.

Then we edit the /etc/httpd/conf.d/ssl.conf to use the certificate:

......
Listen 443 https
......

<VirtualHost *:443>

DocumentRoot "/var/www/html"

#Below need to match the CN of your certificate
ServerName www.youdomain.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

# SSL Engine Switch:
SSLEngine on

# SSL Protocol support:
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

# Server Certificate:

SSLCertificateFile /etc/httpd/conf/ssl.crt/yourdomain.com.crt

# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/yourdomain.com.key

# Server Certificate Chain (CA bundle):
SSLCertificateChainFile /etc/httpd/conf/ca-bundle/yourdomain.com.crt

.....................

</VirtualHost>

To force the website redirect http traffice to https:

edit the .htaccess file under the website root directory:

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

Verify your SSL certificate installation:

You can use below command to verify the HTTPS status:

openssl s_client -connect www.youdomain.com:443

Or open a browser and test

Now you will find the https://www.example.com is running well, but if you type https://example.com, it will tell you the site is not safe. If you click the advanced tab on desktop, you will find, it says the certificate is for www.example.com, but not example.com. Sounds stupid, but this how it strict with non wildcard certificate.

 

We will copy the other copy of cert files to /etc/httpd/conf/nonwww/ssl.crt/ , /etc/httpd/conf/nonwww/ssl.key, /etc/httpd/conf/nonwww/ca-bundle

Then open ssl.conf file we did above, copy the existing block <VirtualHost *:443> …..</VirtualHost> to bottom, then change the line “ServerName www.youdomain.com:443” to “ServerName youdomain.com:443”

Find the three lines of cert file, key file, and bundle file , change them into the new path:

# Server Certificate:

SSLCertificateFile /etc/httpd/conf/nonwww/ssl.crt/yourdomain.com.crt

# Server Private Key:

SSLCertificateKeyFile /etc/httpd/conf/nonwww/ssl.key/yourdomain.com.key

# Server Certificate Chain (CA bundle):

SSLCertificateChainFile /etc/httpd/conf/nonwww/ca-bundle/yourdomain.com.crt

 

......
<VirtualHost *:443>

DocumentRoot "/var/www/html"

#Below need to match the CN of your certificate
ServerName youdomain.com:443

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

# SSL Engine Switch:
SSLEngine on

# SSL Protocol support:
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

# Server Certificate:

SSLCertificateFile /etc/httpd/conf/path.to.your.crt

# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/path.to.your.key

# Server Certificate Chain (CA bundle):
SSLCertificateChainFile /etc/httpd/conf/path.to.your.ca-bundle.crt

.....................

</VirtualHost>

Now you can restart the apache: sudo service httpd restart.

Clear the browser cache, type example.com and see if it work.

Certbot

Open https://certbot.eff.org to select the software and System, it will pull the doc for you. I will take apache with Centos7 as an example.

I will copy some steps from it’s website, for more info have a look at the link at the botom:

Installing DNF

Currently the DNF package comes from the EPEL repository, so if your Linux system is not already configured to use this repository, simply run the command below to set it up.

[[email protected] ~]# yum install epel-release -y

After doing this, you can install Certbot by running:

$ sudo yum install certbot python2-certbot-apache

automates certificate installation.

$ sudo certbot-2 --apache

If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonlysubcommand:

$ sudo certbot-2 --apache certonly

it will tell you the location of the certs:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/You.Domain/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/You.Domain/privkey.pem
 Your cert will expire on

Then you can use Step 3 to finish the setup.

Note there are two files here, but there are three needed in the step3 configuration file ssl.conf:

# Server Certificate: SSLCertificateFile /etc/httpd/conf/path.to.your.crt

# Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/path.to.your.key

# Server Certificate Chain (CA bundle): SSLCertificateChainFile /etc/httpd/conf/path.to.your.ca-bundle.crt

If you open the fullchain.pem with a text editor, As the notes explains, the first section is the Server Certificate, the Second part is CA Bundle.

If you open the privkey.pem is the Server Private Key.

You can simply copy them and paste into a new file if you want to do it manually, or you can continue with the tools.

 

Automating renewal

The command to renew is as below:

$ sudo certbot-2 renew --dry-run

If this runs perfectly, then you can automate it :

An example cron job might look like this, which will run at noon and midnight every day:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot-2 renew

Ref: https://certbot.eff.org/lets-encrypt/centosrhel7-apache

Renew or Reverse back to Http

 

When you renew http on www.sslforfree.com, you may need to upload a file for ownership verification, they check the http link not https, so you may need to reverse back to http communication.

Use below steps to do this:

  1. remove the http to https redirect in .htaccess 
  2. in the /etc/httpd/conf/httpd.conf, change the DocumentRoot to the real folder of your website, if you configured a subfolder for Virtual host in the /etc/httpd/conf.d/ssl.conf
  3. Restart the apache by command sudo service httpd restart