Install Let’s Encrypt SSL With Apache Httpd on CentOS 7

Install let’s encrypt ssl dengan apache httpd pada centos 7

Install repo epel dan install certbot let’s encrypt ssl

yum install epel-release -y
yum install certbot python2-certbot-apache mod_ssl -y
  • Buat sertifikat ssl untuk domain web.rainui.cloud
certbot --apache -d web.rainui.cloud
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for web.rainui.cloud
Performing the following challenges:
http-01 challenge for web.rainui.cloud
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/web.rainui.cloud-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/web.rainui.cloud-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/web.rainui.cloud.conf to ssl vhost in /etc/httpd/conf.d/web.rainui.cloud-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://web.rainui.cloud
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.rainui.cloud/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.rainui.cloud/privkey.pem
   Your certificate will expire on 2022-01-07. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
  • Cek file sertifikat ssl pada directory /etc/letsencrypt/live/
ls -l /etc/letsencrypt/live/
total 4
drwxr-xr-x. 2 root root  93 Oct  9 04:34 blog.rainui.cloud
-rw-r--r--. 1 root root 740 Oct  9 04:32 README
drwxr-xr-x. 2 root root  93 Oct  9 04:34 tes.rainui.cloud
drwxr-xr-x. 2 root root  93 Oct  9 04:32 web.rainui.cloud
  • Cek file konfigurasi pada directory /etc/httpd/conf.d/
ls -l /etc/httpd/conf.d/
total 60
-rw-r--r--. 1 root root  381 Oct  9 03:13 0default.conf
-rw-r--r--. 1 root root 2926 Nov 16  2020 autoindex.conf
-rw-r--r--. 1 root root  558 Oct  9 04:34 blog.rainui.cloud.conf
-rw-r--r--. 1 root root  722 Oct  9 04:34 blog.rainui.cloud-le-ssl.conf
-rw-r--r--. 1 root root 1252 Sep 21 12:32 php.conf
-rw-r--r--. 1 root root  366 Nov 16  2020 README
-rw-r--r--. 1 root root 9443 Nov 16  2020 ssl.conf
-rw-r--r--. 1 root root  549 Oct  9 05:06 tes.rainui.cloud.conf
-rw-r--r--. 1 root root  711 Oct  9 04:34 tes.rainui.cloud-le-ssl.conf
-rw-r--r--. 1 root root 1252 Nov 16  2020 userdir.conf
-rw-r--r--. 1 root root  553 Oct  9 04:32 web.rainui.cloud.conf
-rw-r--r--. 1 root root  715 Oct  9 04:32 web.rainui.cloud-le-ssl.conf
-rw-r--r--. 1 root root  824 Nov 16  2020 welcome.conf
  • Cek isi file web.rainui.cloud.conf maka sudah termodifikasi ada tambahan RewriteRule untuk redirect http ke https
<VirtualHost *:80>
    ServerName web.rainui.cloud
    ServerAlias web.rainui.cloud
    ServerAdmin [email protected]
    DocumentRoot /var/www/web.rainui.cloud

    <Directory /var/www/web.rainui.cloud>
        Options -Indexes +FollowSymLinks
        DirectoryIndex index.php index.html
        AllowOverride All

        Header set Access-Control-Allow-Headers "ORIGIN, X-REQUESTED-WITH, CONTENT-TYPE"
        Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, PUT, DELETE"
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Credentials true
        Header set X-XSS-Protection 1;mode=block
        Header set X-Frame-Options SAMEORIGIN
        Header set X-Content-Type-Options nosniff
        Header set Strict-Transport-Security "max-age=15552000; includeSubDomains;preload"
        Header set Referrer-Policy strict-origin-when-cross-origin
        Header set Access-Control-Max-Age 60000
    </Directory>

    ErrorLog /var/log/httpd/web.rainui.cloud-error.log
    CustomLog /var/log/httpd/web.rainui.cloud-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =web.rainui.cloud
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
  • Cek isi file web.rainui.cloud-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName web.rainui.cloud
    ServerAlias web.rainui.cloud
    ServerAdmin [email protected]
    DocumentRoot /var/www/web.rainui.cloud

    <Directory /var/www/web.rainui.cloud>
        Options -Indexes +FollowSymLinks
        DirectoryIndex index.php index.html
        AllowOverride All

        Header set Access-Control-Allow-Headers "ORIGIN, X-REQUESTED-WITH, CONTENT-TYPE"
        Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, PUT, DELETE"
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Credentials true
        Header set X-XSS-Protection 1;mode=block
        Header set X-Frame-Options SAMEORIGIN
        Header set X-Content-Type-Options nosniff
        Header set Strict-Transport-Security "max-age=15552000; includeSubDomains;preload"
        Header set Referrer-Policy strict-origin-when-cross-origin
        Header set Access-Control-Max-Age 60000
    </Directory>

    ErrorLog /var/log/httpd/web.rainui.cloud-error.log
    CustomLog /var/log/httpd/web.rainui.cloud-access.log combined
SSLCertificateFile /etc/letsencrypt/live/web.rainui.cloud/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/web.rainui.cloud/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/web.rainui.cloud/chain.pem
</VirtualHost>
</IfModule>
  • Cek domain web.rainui.cloud pada browser maka sudah menjadi https
  • Aktifkan renew ssl dengan jadwalkan pada cron job
sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/blog.rainui.cloud.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Account registered.
Simulating renewal of an existing certificate for blog.rainui.cloud
Performing the following challenges:
http-01 challenge for blog.rainui.cloud
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/blog.rainui.cloud/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/web.rainui.cloud.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for web.rainui.cloud
Performing the following challenges:
http-01 challenge for web.rainui.cloud
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/web.rainui.cloud/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/blog.rainui.cloud/fullchain.pem (success)
  /etc/letsencrypt/live/web.rainui.cloud/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • Cron job
crontab -e
* */12 * * * root /usr/bin/certbot renew >/dev/null 2>&1

service crond reload

herdiana3389

A system administrator with skills in system administration, virtualization, linux, windows, networking, cloud computing, container, etc.