CentOS Server ConstructionUsing Let's encrypt to get an SSL certificate - CentOS 7
To support HTTPS, let's install certbot to use Let's encrypt, which allows you to get an SSL certificate for free.
sudo yum -y install epel-release sudo yum -y install certbot python-certbot-apache
Let's encrypt requires a web server to obtain a certificate
Let's encrypt issues SSL certificates by verifying that you have access to a web server with an HTTP connection.
Therefore, you need a web server to listen for HTTP connections.
Install Aapche as your web server.
For HTTPS connection, mod_ssl is required, so install mod_ssl.
As a common server configuration, let's consider the case where a reverse proxy is used to listen.
Set up the following in /etc/httpd/conf.d/vhost.conf to receive "www.mydomain.example" on the default port 80 of HTTP, and then on port 10000 of the application server behind it.
<VirtualHost *:80
ServerName www.mydomain.example
<Proxy *>
Require all granted
</Proxy
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:10000/ keepalive=On
ProxyPassReverse / http://localhost:10000/
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost
We will not configure the settings for loading the SSL certificate at this point, as it does not exist.
After configuring the settings, restart Apache and go to "http://www.mydomain.example" and make sure you can connect. Before restarting, it is a good idea to check that the Apache configuration file is correct.
Here is a simple example of starting a server with Mojolicious, which is a reverse proxy and connects to a web application.
# myapp.pl use Mojolicious::Lite; app->start;
Launch
hypnotoad myapp.pl
The default port for the Mojolicious hypnotoad server is 10000, but if you want to specify the port number, edit "hypnotoad.conf".
Obtain an SSL certificate
Let's use certbot to get an SSL certificate, and it will automatically add the configuration for HTTPS connection for Apache.
sudo certbot run --apache -d www.mydomain.example
You will be asked for your email address first. Type in your email address and Enter.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to Enter 'c' to cancel):
Next, you will be asked if you agree to the terms of the agreement, press 'A' and enter.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - You must agree in order to register with the ACME server at . (A)gree/(C)ancel:
When you are asked if you want to share your email address with the Electronic Frontier Foundation, press "Y" or "N" and enter.
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you an email about our work We'd like to send you an email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - We'd like to send you emails about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. (Y)es/(N)o:
You will be asked if you want to redirect HTTP to HTTPS, so choose the "1" redirect.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - <pre> Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. You can undo this change by editing your web server's configuration. You can undo this change by editing your web server's configuration. - You can undo this change by editing your web server's configuration. Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Finally, an important notice will be displayed and the process will end.
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/quote-app.dev-winckler-yokohama.com/fullchain.pem Your key file has been saved at: Your key file has been saved at: /etc/letsencrypt/live/quote-app.dev-winckler-yokohama.com/privkey.pem Your cert will expire on 2020-04-16. To obtain a new or tweaked To obtain a new or tweaked version of this certificate in the future, simply run certbot again To non-interactively renew *all* of your certificates, run "certbot again. To non-interactively renew *all* of your certificates, run "certbot renew". - Your account credentials have been saved in your Certbot Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The SSL certificate will be stored in the following directory
/etc/letsencrypt/live
If you look at it, you will see that it is stored in separate directories for each domain.
/etc/letsencrypt/live sudo ls /etc/letsencrypt/live
Translated with www.DeepL.com/Translator (free version)