Although there are tools can automate the SSL cert renewal process for you, it’s always good to know how it works just in case you need to troubleshoot.
We will first see how it works step by step, then introduce a automated tool Certbot.
Step one: get your server ready
An Overview of Security-Related Packages
To enable the secure server, you must have the following packages installed at a minimum:
httpd
The httpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
mod_ssl
The mod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
openssl
The openssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.
User below command to install:
sudo yum install httpd mod_ssl openssl
Check that mod_ssl is properly installed:
# rpm -q mod_ssl mod_ssl-2.4.6-80.el7.x86_64
And is loaded as a module into httpd server:
# apachectl -M | grep ssl ssl_module (shared)
The mod_ssl configuration file is sitting at: /etc/httpd/conf.d/ssl.conf. We need to enable Apache from reading configuration files here.
Note: Enable the Apache to load configuration file from conf.d, which is disabled by default on RHEL/CentOS.
Uncomment below in /etc/httpd/conf/httpd.conf to enable apache load the conf files:
IncludeOptional conf.d/*.conf
Step two: apply for the ssl certificate
Once you’ve got an approval of your certificate from the Certificate Authority (CA), you will have email, which will contain an encryption key valuables in hash algorithm such as;
-----BEGIN CERTIFICATE----- MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw (.......) E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA -----END CERTIFICATE-----
Or you can apply free SSL from https://www.sslforfree.com/, which only valid for about 100 days but completely free.
Wildcard or not
For paid version, you can apply certificate which will effective for *.example.com, but for the free version from sslforfree.com, we need to apply two versions.
I will apply two copies of ssl certificate, one for www.example.com and one for example.com.
Now you have two copies of three files, certificate file certificate.crt, Private key file private.key, CA bundle file Ca_bundle.crt.
To confirm that you have applied for the correct domain name, use command below to get the CN name from certificate:
# openssl x509 -noout -text -in certificate.crt | grep CN
Step Three
Upload the files via FTP, then rename to CN_name.crt
Now, you’ll want to create below directories and store the cert files for www.example.com on the following directory, which you’re going to keep all your certificate files;
Example: /etc/httpd/conf/ssl.crt/ , /etc/httpd/conf/ssl.key, /etc/httpd/conf/ca-bundle.
Then we edit the /etc/httpd/conf.d/ssl.conf to use the certificate:
...... Listen 443 https ...... <VirtualHost *:443> DocumentRoot "/var/www/html" #Below need to match the CN of your certificate ServerName www.youdomain.com:443 # Use separate log files for the SSL virtual host; note that LogLevel # is not inherited from httpd.conf. ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn # SSL Engine Switch: SSLEngine on # SSL Protocol support: SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA # Server Certificate: SSLCertificateFile /etc/httpd/conf/ssl.crt/yourdomain.com.crt # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/ssl.key/yourdomain.com.key # Server Certificate Chain (CA bundle): SSLCertificateChainFile /etc/httpd/conf/ca-bundle/yourdomain.com.crt ..................... </VirtualHost>
To force the website redirect http traffice to https:
edit the .htaccess file under the website root directory:
RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Apache configuration file
Or you can do it in apache configuration file /etc/httpd/conf/httpd.conf
Under the section of port 80:
<VirtualHost *:80>
# General setup for the virtual host, inherited from global configuration
ServerName you.domain.com:80
Add or edit the below section to enable https for all sites:
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Only enable https for a site:
RewriteCond %{SERVER_NAME} =your.domain.name
Verify your SSL certificate installation:
You can use the below command to verify the HTTPS status:
openssl s_client -connect www.youdomain.com:443
Or open a browser and test
Now you will find the https://www.example.com is running well, but if you type https://example.com, it will tell you the site is not safe. If you click the advanced tab on desktop, you will find, it says the certificate is for www.example.com, but not example.com. Sounds stupid, but this how it strict with non wildcard certificate.
We will copy the other copy of cert files to /etc/httpd/conf/nonwww/ssl.crt/ , /etc/httpd/conf/nonwww/ssl.key, /etc/httpd/conf/nonwww/ca-bundle
Then open ssl.conf file we did above, copy the existing block <VirtualHost *:443> …..</VirtualHost> to bottom, then change the line “ServerName www.youdomain.com:443” to “ServerName youdomain.com:443”
Find the three lines of cert file, key file, and bundle file, change them into the new path:
If you have the cert file and key file combined in one file, then use the below command to create the cert and key, (note you will need openssl installed, and it will ask you for the encryption password if the file is encrypted.)
cat cert_key_file.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "yourdomain.com" n ".crt"}' sudo openssl rsa -in yourdomain.com.crt -out yourdomain.com.pem sudo openssl rsa -in yourdomain.com1.crt -out yourdomain.com.key
# Server Certificate:
SSLCertificateFile /etc/httpd/conf/nonwww/ssl.crt/yourdomain.com.crt
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/nonwww/ssl.key/yourdomain.com.key
# Server Certificate Chain (CA bundle):
SSLCertificateChainFile /etc/httpd/conf/nonwww/ca-bundle/yourdomain.com.crt
...... <VirtualHost *:443> DocumentRoot "/var/www/html" #Below need to match the CN of your certificate ServerName youdomain.com:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn # SSL Engine Switch: SSLEngine on # SSL Protocol support: SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA # Server Certificate: SSLCertificateFile /etc/httpd/conf/path.to.your.crt # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/path.to.your.key # Server Certificate Chain (CA bundle): SSLCertificateChainFile /etc/httpd/conf/path.to.your.ca-bundle.crt ..................... </VirtualHost>
Now you can restart the apache: sudo service httpd restart.
Clear the browser cache, type example.com and see if it work.
Certbot
Open https://certbot.eff.org to select the software and System, it will pull the doc for you. I will take apache with Centos7 as an example.
I will copy some steps from its website, for more info have a look at the link at the bottom:
Installing DNF
Currently, the DNF package comes from the EPEL repository, so if your Linux system is not already configured to use this repository, simply run the command below to set it up.
[root@centos7 ~]# yum install epel-release -y
After doing this, you can install Certbot by running:
$ sudo yum install certbot python2-certbot-apache
or
$ sudo dnf install certbot python3-certbot-apache
automates certificate installation.
$ sudo certbot --apache
If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonlysubcommand:
$ sudo certbot --apache certonly
it will tell you the location of the certs:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/You.Domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/You.Domain/privkey.pem Your cert will expire on
Then you can use Step 3 to finish the setup.
Note there are two files here, but there are three needed in the step3 configuration file ssl.conf:
# Server Certificate: SSLCertificateFile /etc/httpd/conf/path.to.your.crt
# Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/path.to.your.key
# Server Certificate Chain (CA bundle): SSLCertificateChainFile /etc/httpd/conf/path.to.your.ca-bundle.crt
If you open the fullchain.pem with a text editor, As the notes explain, the first section is the Server Certificate, the Second part is CA Bundle.
If you open the privkey.pem is the Server Private Key.
You can simply copy them and paste them into a new file if you want to do it manually, or you can continue with the tools.
Automating renewal
The command to renew is as below:
$ sudo certbot renew --dry-run
If this runs perfectly, then you can automate it :
An example cron job might look like this, which will run at noon and midnight every day:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
Ref: https://certbot.eff.org/lets-encrypt/centosrhel7-apache
Delete a domain cert
You may have multiple domains on a server, to delete the one you don’t need anymore, use the below command:
sudo certbot delete
Tomcat:
There is no automatic cert renew for tomcat, so you have to manually verify it, request it, and copy to the tomcat folder.
Verify
Some application may lock the web root folder, so it is recommended to verify it via DNS.
sudo certbot certonly --manual -d your.domain.name --preferred-challenges dns
It will show your an txt record “_acme-challenge” and desired value.
Then you will need to create a txt record name “_acme-challenge”, pointing to the value shown above.
Or you can use apache as reverse proxy server for TOMCAT, and automate the renew there.
Renew or Reverse back to Http
When you renew http on www.sslforfree.com, you may need to upload a file for ownership verification, they check the http link not https, so you may need to reverse back to http communication.
Use the below steps to do this:
- remove the http to https redirect in .htaccess
- in the /etc/httpd/conf/httpd.conf, change the DocumentRoot to the real folder of your website if you configured a subfolder for Virtual host in the /etc/httpd/conf.d/ssl.conf
- Restart the apache by command
sudo service httpd restart