Setting up Let's Encrypt on CentOS7 (Amazon Linux 2)

This notes explains how to install Let's Encrypt onto Amazon Linux 2 (Running a
PHP+MySQL CMS, concrete5).

I've tested on Amazon Linux 2. But it will probably works on any CentOS7 and RHLE7.

Step 0: Initial Set-up

Run my concrete5 Ansible script to set-up basic web server.
https://github.com/concrete5cojp/ansible-c5-ma

This script will install all necessary repo and middleware to run a PHP web application.

Install epel repo.

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Then, make sure you finish configuring 80 port config and availabl already.

Using auto configuration

Step 1: Install Certbot

$ sudo yum install certbot python2-certbot-nginx # Nginx server
$ sudo yum install certbot python2-certbot-apache # Apache server

Step 2: Install Let's Encrypt Certificatte

sudo certbot

Step 3: Set-up cron to auto-renew

$ sudo vi /etc/crontab
# Let's Encrypt Renewal - Nginx
39 11,23  *  *  * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "systemctl restart nginx"
# Let's Encrypt Renewal - Apache
39 11,23  *  *  * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "service httpd restart"

Manual Method

Issue an certificate for the domain

$ sudo certbot certonly \
     --manual \
     --manual-public-ip-logging-ok \
     -d EXAMPLE.com \
     -d *.EXAMPLE.com \
     -m nospam@EXAMPLE.com \
     --agree-tos \
     --debug

Get the full paths of key

Set web server config

Nginx Config

    ssl_certificate         /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
    include                 /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam             /etc/letsencrypt/ssl-dhparams.pem;

Apache Config

SSLCertificateFile /etc/letsencrypt/live/DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/DOMAIN/chain.pem
SSLCACertificateFile /etc/letsencrypt/live/DOMAIN/fullchain.pem

Cron setting

$ sudo vi /etc/crontab
# Let's Encrypt Renewal
39 11,23  *  *  * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "service nginx reload -s"

When you failed

Clear all Let's Encrypt Setting

sudo rm -R /opt/eff.org/certbot

Make sure to set SSL on default-server (For Dynamic site with cache)

Even if you only need SSL access to additional virtual host server, you may want to set SSL settings on your default-server, so that when people tried to access your server via IP, it will return blank request.

It's important tactics to prevent cache poisoning if you use CMS such as WordPress or Concrete CMS.

If you've got the following error in Nginx error log and keep failing to access SSL, you didn't set proper 443 config on your Nginx's default-server config.

no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: ***.***.***.***, server: 0.0.0.0:443

server {
    listen       80 default_server;
    listen       [::]:80;
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2;

    server_name  EXAMPLE.com;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    charset      utf-8;

    access_log   /var/log/nginx/dummy_access.log main;
    error_log    /var/log/nginx/dummy_error.log warn;

    root         /var/www/html;

    ssl_certificate         /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
    include                 /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam             /etc/letsencrypt/ssl-dhparams.pem;


    location / {
        index  index.html;
    }
}

How to delete unused and/or old certificates

# Show which certificates are installed & get the certificate names to delete
$ sudo certbot certificates

# Delete the certificate
$ sudo certbot delete --cert-name example.com-0001