Author Topic: Short Let's Encrypt guide on CentOS 6.x  (Read 21814 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Short Let's Encrypt guide on CentOS 6.x
« on: January 02, 2016, 12:38:29 PM »
This is a short guide to get Let's Encrypt setup and issue a certificate. This assumes you've used CWP to assign a self generated certificate to the domain(s) in question so that Apache is already setup to serve it via SSL. After the certificate is issued, you'll create a crontab to run every 30 days as the root user to renew the certificate(s) and copy the files to keep everything up-to-date.

!!! NOTE : IF YOU WANT TO INSTALL PYTHON 2.7 ALONGSIDE PYTHON 2.6 AND NOT HAVE TO WORRY ABOUT THE EPEL REPO THEN FOLLOW THE INSTRUCTIONS HERE : https://community.letsencrypt.org/t/redhat-centos-6-x-users-need-python-2-7/2190 : ETON !!!

To get everything setup for Let's Encrypt you'll need to install a few things since CentOS 6 is using an old version of Python and we're missing some modules. Let's Encrypt does not like the Python 2.6 version included with this version of CentOS but it will still run.
Code: [Select]
yum install epel-release -y
!!! NOTE : IF YOU WANT TO INSTALL PYTHON 2.7 ALONGSIDE PYTHON 2.6 AND NOT HAVE TO WORRY ABOUT THE EPEL REPO THEN FOLLOW THE INSTRUCTIONS HERE : https://community.letsencrypt.org/t/redhat-centos-6-x-users-need-python-2-7/2190 : ETON !!!

After the EPEL repo is installed you'll need to checkout the Let's Encrypt client.
Code: [Select]
cd /root && git clone https://github.com/letsencrypt/letsencrypt
Now let's get the certificate(s) we need and copy all the files over to their respective directories. This command will use the public_html folder of the domain in question to verify everything is legitimate, so change the info as required so it can check in with your domain and verify it before providing the certificate. You also need to provide a valid email address for recovery purposes later on if it's ever required.
Code: [Select]
cd /root/letsencrypt/ && ./letsencrypt-auto certonly --email your@email.com --agree-tos --renew-by-default --webroot  -w /home/www.domain.com/public_html/ -d www.domain.com && cp -f /etc/letsencrypt/live/www.domain.com/fullchain.pem /etc/pki/tls/certs/www.domain.com.crt && cp -f /etc/letsencrypt/live/www.domain.com/privkey.pem /etc/pki/tls/private/www.domain.com.key && cp -f /etc/letsencrypt/live/www.domain.com/chain.pem /etc/pki/tls/certs/www.domain.com.bundle
After that has run successfully you can verify now that the certificate on your server has changed from unsigned to signed and it won't prompt you to bypass the security risk.

For automatic updates of the certificate from Let's Encrypt you'll need to do the following (as the root account still) and change everything to match your domain. The command itself is the same as the one used to retrieve the cert above so you can paste it after the "01 3 1 * *" part to save time :
Code: [Select]
Edit the crontab with "crontab -e", press "i" to enter "Insert Mode" and then paste this :

01 3 1 * * cd /root/letsencrypt/ && ./letsencrypt-auto certonly --email your@email.com --agree-tos --renew-by-default --webroot  -w /home/www.domain.com/public_html/ -d www.domain.com && cp -f /etc/letsencrypt/live/www.domain.com/fullchain.pem /etc/pki/tls/certs/www.domain.com.crt && cp -f /etc/letsencrypt/live/www.domain.com/privkey.pem /etc/pki/tls/private/www.domain.com.key && cp -f /etc/letsencrypt/live/www.domain.com/chain.pem /etc/pki/tls/certs/www.domain.com.bundle

Press Ctrl+C and then :wq! followed by enter.

Please let me know if you run in to any issues or any of the above commands are mis-typed or incorrect for whatever reason. They worked successfully on my CentOS 6.7 VPS just a few hours ago.
« Last Edit: January 02, 2016, 12:42:47 PM by brandon »

Offline
*
Re: Short Let's Encrypt guide on CentOS 6.x
« Reply #1 on: March 14, 2016, 10:40:23 AM »
I wasn't able to install Let's encrypt using this guide. I don't know why but I had to update .key .csr and .bundle files manually and still, it appears that the connection is not secure. Anyone managed to get it working?

Offline
*
Re: Short Let's Encrypt guide on CentOS 6.x
« Reply #2 on: April 10, 2016, 09:11:56 AM »
I had to install virtualenv too with
Code: [Select]
pip install virtualenvthen I've added some more subdomains I needed to the cert, like this
Code: [Select]
./letsencrypt-auto certonly --email 'email@domain.com' --agree-tos --renew-by-default --webroot  --webroot-path '/home/domain/public_html/' -d domain.com -d www.domain.com -d other.domain.com
the problem I still have is how to get a cert for the subdomain of my cwp installation, it doesn't have it's website so letsencrypt says
Code: [Select]
Domain:cwp-domain.com
   Type:   unauthorized
   Detail: Invalid response from http://cwp.domain.com/.well-known/acme-challenge/jhdajkshdLasdasdasdsdgdhfghfghd
   [theIP]: 404

if I set cwp.domain.com as a subdomain letsencrypt works but I can't use anymore cwp.domain.com/roundcube, phpMyAdmin and so on
« Last Edit: April 10, 2016, 09:22:12 AM by banane »

Offline
*
Re: Short Let's Encrypt guide on CentOS 6.x
« Reply #3 on: April 14, 2016, 05:14:24 PM »
a little mistake in the process of getting certificate:

not
cp -f /etc/letsencrypt/live/www.domain.com/fullchain.pem /etc/pki/tls/certs/www.domain.com.crt
but
cp -f /etc/letsencrypt/live/www.domain.com/fullchain.pem /etc/pki/tls/certs/www.domain.com.cert

or  you'll get:
Starting httpd: Syntax error on line 13 of /usr/local/apache/conf.d/vhosts-ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/www.domain.com.cert' does not exist or is empty
                                                           [FAILED]

true for:
CWP version: 0.9.8.12
CentOS release 6.7
« Last Edit: April 22, 2016, 01:08:31 AM by CadaverziaN »

Offline
*
Re: Short Let's Encrypt guide on CentOS 6.x
« Reply #4 on: April 20, 2016, 07:03:49 AM »
I did play around with the letsencrypt SSL few days ago, taking me quite some times to get it installed.

First, you must make sure you have at least the Python v2.7.x or above, and also the virtualenv installed.

Install the letsencrypt.
Quote
cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto

And if you get the following error, please refer to the link, https://www.digitalocean.com/community/tutorials/how-to-set-up-python-2-7-6-and-3-3-3-on-centos-6-4, to get the virtualenv installed.
Quote
virtualenv: command not found

In fact, I still got the error (not virtualenv error, could not remember thou) when running ./letsencrypt-auto command. So, I did in manual method to generate the SSL.
Quote
./letsencrypt-auto certonly --webroot -w /home/your_domain/public_html -d your_domain.com -d www.your_domain.com

Then,  copy the SSL into /etc/pki/tls directory.
Quote
cp -f /etc/letsencrypt/live/your_domain/cert.pem /etc/pki/tls/certs/your_domain.cert
cp -f /etc/letsencrypt/live/your_domain/fullchain.pem /etc/pki/tls/certs/your_domain.bundle
cp -f /etc/letsencrypt/live/your_domain/privkey.pem /etc/pki/tls/certs/your_domain.key

At your CWP, go to Apache settings >> SSL cert manager, on your right hand side form, choose the cert, user & enter your domain; then install SSL. Done.

Note: Make sure you have the 443 port open in firewall & listen to port 443.

You may test the score of SSL cert at https://www.ssllabs.com/ssltest.
At the beginning, I got the score C and after did some researches, I added the following lines onto this file /usr/local/apache/conf.d/vhosts-ssl.conf.
Quote
....
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
....
Restart the apache.

I got the score A now.  ;D Hope this guide will help you. Cheer.
« Last Edit: May 08, 2016, 01:43:15 PM by infinitech07 »

Offline
*
Re: Short Let's Encrypt guide on CentOS 6.x
« Reply #5 on: August 03, 2016, 08:46:05 AM »
hello i got this issue.
i wanna install lets encrypt for my cwp
Code: [Select]
[?1034hFailed authorization procedure. panel.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://panel.mydomain.com/.well-known/acme-challenge/wytHeT21cuvjuvor3gKCu4LMcFDb2MU0oXYL6o6EhPI
where is the webroot path for cwp?

thank you

Offline
*
Re: Short Let's Encrypt guide on CentOS 6.x
« Reply #6 on: August 03, 2016, 12:32:53 PM »
hello i got this issue.
i wanna install lets encrypt for my cwp
Code: [Select]
[?1034hFailed authorization procedure. panel.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://panel.mydomain.com/.well-known/acme-challenge/wytHeT21cuvjuvor3gKCu4LMcFDb2MU0oXYL6o6EhPI
where is the webroot path for cwp?

thank you

make sure that your domain is pointed on the correct server and correct folder or it will not work.
AntiDDoS Protection (web + mail)
http://centos-webpanel.com/website-ddos-protection-proxy

Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp


Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor


Do you need Fast and FREE Support included for your CWP linux server?
http://centos-webpanel.com/noc-partner-list
Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
*
Re: Short Let's Encrypt guide on CentOS 6.x
« Reply #7 on: August 10, 2016, 07:59:53 PM »
hello i got this issue.
i wanna install lets encrypt for my cwp
Code: [Select]
[?1034hFailed authorization procedure. panel.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://panel.mydomain.com/.well-known/acme-challenge/wytHeT21cuvjuvor3gKCu4LMcFDb2MU0oXYL6o6EhPI
where is the webroot path for cwp?

thank you

make sure that your domain is pointed on the correct server and correct folder or it will not work.

that domain is pointed correctly i can access CWP using that domain. but i need information, where is the webroot path for cwp?
like public_html for user's