Installing lets-encrypt SSL certificate

Home > CentOS > CentOS 6.x > Apache web server configuration >> Installing lets-encrypt SSL certificate

More updated articles on this are available at:

• Rocky 9.x Installing lets-encrypt SSL certificate

Lets encrypt provides free automated SSL certificates. This is a service run by Internet Security Research Group (ISRG). Refer https://letsencrypt.org/about/

Obtaining certificates for apache

To obtain a lets-encrypt SSL certificate for your domain for apache web server on top of CentOS 7.0 follow these steps:

1. Install required packages and run cert-bot using:

   yum -y install epel-release
   yum -y install python2-certbot-apache
   certbot --apache

   This assumes use of httpd with one or more VirtualHost(s) in '/etc/httpd/conf/httpd.conf' or '/etc/httpd/conf.d/*.conf' files. You can choose to automatically create http to https redirect, if it is desired. That would only add following configuration to corresponding virtualhost

   RewriteEngine on
   RewriteCond %{SERVER_NAME} =mail.rekallsoftware.com
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

   The certificate information is created in '/etc/httpd/conf/httpd-le-ssl.conf'

2. If mod-ssl is installed then we need to remove line

   Include /etc/httpd/conf/httpd-le-ssl.conf

   from httpd.conf bottom and add it before first VirtualHost for _default in ssl.conf. This way all Listen 443 etc. configuration applies then lets-encrypt SSL certificates are configured and then only default certificates are used for other domains.

3. Restart web server

   systemctl restart httpd

   and test that configuration works by opening site in browser

4. Test that renewal would work properly. This is important as lets encrypt certificates are valid only for 90 days

   certbot renew --dry-run

5. Add 'certbot renew' to cron. It renews only when certificate is close to expiry. Website recommends running it twice daily, which might be an overkill. To run this once every week use:

   3 5 * * 0 certbot renew

   This would run 'certbot renew' command on 05:03 every Sunday. You should randomize hour and minute while taking above example configuration.

6. The above crontab only renews certificates. For automatic restart of various services after renewal, use below instead:

   3 5 * * 0 certbot renew; systemctl restart httpd; systemctl restart postfix; systemctl restart dovecot;

Refer:

• https://letsencrypt.org/getting-started/
• https://certbot.eff.org/lets-encrypt/centosrhel7-apache

Using obtained certificates for postfix

For configuring certificates in postfix after they have been created for use with apache:

1. Edit /etc/postfix/main.cf and add:

   smtpd_tls_cert_file = /etc/letsencrypt/live/mail.rekallsoftware.com/fullchain.pem
   smtpd_tls_key_file = /etc/letsencrypt/live/mail.rekallsoftware.com/privkey.pem
   smtpd_tls_security_level = may
   smtp_tls_security_level = may
   smtp_tls_note_starttls_offer = yes
   smtpd_tls_received_header = yes

   Here replace mail.rekallsoftware.com with your verified domain for postfix to use

2. systemctl restart postfix
3. systemctl status postfix
4. Optionally validate using:

   openssl s_client -connect mail.rekallsoftware.com:25 -servername mail.rekallsoftware.com -starttls smtp
   openssl s_client -connect mail.rekallsoftware.com:587 -servername mail.rekallsoftware.com -starttls smtp
   openssl s_client -connect mail.rekallsoftware.com:465 -servername mail.rekallsoftware.com -starttls smtp

   after replacing mail.rekallsoftware.com with desired domain name

Refer:

• https://www.namecheap.com/support/knowledgebase/article.aspx/9795/69/installing-and-configuring-ssl-on-postfixdovecot-mail-server
• https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/

Using obtained certificate in dovecot

If certificates are already downloaded using apache and the same should be configured for dovecot for POP3 and IMAP, then use:

1. Edit /etc/dovecot/conf.d/10-ssl.conf and set values as follows:

   ssl_cert = </etc/letsencrypt/live/mail.rekallsoftware.com/fullchain.pem
   ssl_key = </etc/letsencrypt/live/mail.rekallsoftware.com/privkey.pem
   ssl_protocols = !SSLv2 !SSLv3
   ssl_cipher_list = HIGH:!SSLv2:!aNULL@STRENGTH
   ssl_prefer_server_ciphers = yes

   after replacing mail.rekallsoftware.com with appropriate domain. Note that '<' before path is not a typing mistake. It is required.

2. systemctl restart dovecot
3. Validate certificate with

   openssl s_client -connect mail.rekallsoftware.com:993 -servername mail.rekallsoftware.com

   after replacing mail.rekallsoftware.com with appropriate name

Refer:

• https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921

Troubleshooting certbot issues

Renewal failure due to parse error

If 'certbot renew' fails with below error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/energyconservationclub.in.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python2.7/site-packages/certbot/storage.py", line 465, in __init__
    self._check_symlinks()
  File "/usr/lib/python2.7/site-packages/certbot/storage.py", line 523, in _check_symlinks
    "expected {0} to be a symlink".format(link))
CertStorageError: expected /etc/letsencrypt/live/energyconservationclub.in/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/energyconservationclub.in.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

No renewals were attempted.

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/energyconservationclub.in.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)

Then use following steps:

1. systemctl stop httpd
2. certbot --apache
   1. Press enter to accept all existing sites
   2. Give 2 if automatic redirect to https is desired. If it was already set before nothing will go wrong.
3. systemctl start httpd
4. Test the sites

Note that the issue appears to be permanent. Now every 60-90 days the above steps might have to be followed. Updating certbot package did not seem to help.

Home > CentOS > CentOS 6.x > Apache web server configuration >> Installing lets-encrypt SSL certificate