Notes on setting up letsencrypt

Clone repository
Setup letsencrypt
Generate certificates
Update web server configuration

Below are some notes when setting it up in two different systems, in Centos 6.7 with Apache and in Centos 7 with Nginx and Varnish

Centos 6.7 with Apache

Clone repo
Run: 
Initial setup: ./letsencrypt-auto --help
Generate keys: ./letsencrypt-auto --apache

Issues

Checking for new version...
Creating virtual environment...
./letsencrypt-auto: line 455: virtualenv: command not found

To fix the above, we need to install the missing dependencies. ( for more info see: https://geekflare.com/virtualenv-command-not-found-centos6/)

yum install centos-release-SCL
yum update
yum install scl-utils python27 python27-scldevel
scl enable python27 bash

Now we should be able to generate the keys by running:
./letsencrypt-auto --apache

Note: In future key generation we only need to run: scl enable python27 bash

If the generation has been successful, we should see a message showing where the certificates are stored. By default should be in:

/etc/letsencrypt/live/[your-full-url]/fullchain.pem

So now we can update the Apache vhost with:

<VirtualHost *:443>

SSLEngine on
   SSLCertificateFile /etc/letsencrypt/live/blog.pavlakis.info/cert.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/blog.pavlakis.info/privkey.pem
   SSLCertificateChainFile /etc/letsencrypt/live/blog.pavlakis.info/chain.pem

</VirtualHost>

If SSL not configured correctly, the following steps may help:

  • Add the ssl.conf (or equivalent in httpd.conf)
  • Remove the example from ssl.conf
  • If there are issues with port not accessible, check using: netstat -nlt
  • May need to enable in iptables, although might just be that apache is not Listening
  • Failed to connect to host for DVSNI challenge: Needed to use the full url

If getting warning: _default_ VirtualHost overlap on port 443, the first has precedence

Do something like:

conf.d/ssl.conf
NameVirtualHost *:443
Listen 443

Once that's working, we can set a redirect to 443 from port 80

<VirtualHost *:80>

    Redirect / https://blog.pavlakis.info/

</VirtualHost>

Centos 7 with Nginx and Varnish

Clone repo
Run: 
Initial setup: ./letsencrypt-auto --help

./letsencrypt-auto certonly -a webroot --webroot-path=/srv/public -d phpminds.org -d www.phpminds.org

Under nginx configuration (e.g. /etc/nginx/sites-available/default.conf)
Add a server section for a redirect (note we’re using Varnish):

server {
        listen 8080;

        server_name phpminds.org www.phpminds.org;

        return 301 https://$host$request_uri;
}

And a second server section to include all the other info:
Listen for port 8080 (because we’re using Varnish) and port 443.
Add location with the 443 configuration.

server {

        listen 8080;

        server_name phpminds.org www.phpminds.org;

        listen 443 ssl default;

        ssl_certificate /etc/letsencrypt/live/phpminds.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/phpminds.org/privkey.pem;

…

       location / {
            try_files $uri $uri/ /index.php?$query_string;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header Host $host;
        }
}

In case SSL not configured correctly, check if web server is listening on port 443.
netstat -nlt

If 443 not showing check web server configuration. Otherwise check if https is accessible internally:
curl -I https://phpminds.org

If it is accessible internally but not externally, check the firewall:

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
service iptables save
service iptables restart

OR

firewall-cmd --add-port=443/tcp
firewall-cmd --permanent --add-port=443/tcp

As we are running Varnish, very important to restart both services:

systemctl restart nginx.service
systemctl restart varnish.service

Certificate Renewals

Certificates are only valid for 90 days. Checkout Cal Evan’s post on automating the renewal process:
https://blog.calevans.com/2016/02/22/how-i-got-lets-encrypt-setup-and-operating/