Setting up Let's Encrypt on the new penguin server
Contents
I used the certbot program, as recommended by the Let’s Encrypt web site.
Run using the certonly
comand
[root@fenoras2 ~]# certbot certonly --webroot -w /var/www/html -d hvdc.fe100.net Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for hvdc.fe100.net http-01 challenge for hvdc.l5.ca Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/hvdc.fe100.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/hvdc.fe100.net/privkey.pem Your cert will expire on 2019-01-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Forward traffic on port 443 to penguin
I set up my Shaw router/firewall/switch/gateway/WiFi device to forward traffic on port 443 from the internet at large to penguin. (For now, it’s going to fenoras2 on 192.168.1.21.)
Allow HTTPS traffic through the firewall
Be default, the firewall on the server denies traffic on port 443, so it’s necessary to enable it:
firewall-cmd --zone=public --permanent --add-service=https
Configure httpd to accept HTTPS traffic
Contents of /etc/httpd/ssl.conf:
Listen 443 https SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLCryptoDevice builtin #SSLCryptoDevice ubsec <VirtualHost *:443> ServerName hvdc.l5.ca ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on # SSLProtocol and SSLCipherSuite as recommended by Let's Encrypt SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305: ⮲ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256: ⮲ ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384: ⮲ DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256: ⮲ ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384: ⮲ ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA: ⮲ ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256: ⮲ DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA: ⮲ EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256: ⮲ AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on SSLCertificateFile /etc/letsencrypt/live/hvdc.l5.ca/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/hvdc.l5.ca/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/hvdc.l5.ca/chain.pem #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt #SSLVerifyClient require #SSLVerifyDepth 10 #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # (after Let's Encrypt) LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined CustomLog logs/ssl_request_log_renyamon-l5-ca vhost_combined </VirtualHost> <VirtualHost *:443> ServerName hvdc.l5.ca (... see hvdc.fe100.net above) </VirtualHost>