RHEL7: How to migrate your website to HTTPS with Letsencrypt.

Presentation

It is now pretty easy to put in place a webserver using the https protocol through the Letsencrypt project.

Prerequisites

A webserver has to be running (Apache, Nginx, etc)  on the port 80 with the firewall configuration allowing access through.

Installation Procedure

In the following tutorial, let’s assume that your website is called www.example.com and is located in the /var/www/html/example directory.

Several packages need to be installed:

# yum install -y git
# cd /opt
# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt

Then, create a certificate for a website (here www.example.com):

# ./letsencrypt-auto certonly --webroot -w /var/www/html/example -d example.com \
-d www.example.com --email myemail@mail.com
...
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
  expire on 2016-08-18. To obtain a new version of the certificate in
  the future, simply run Certbot again.
- If you lose your account credentials, you can recover through
  e-mails sent to myemail@mail.com.
- Your account credentials have been saved in your Certbot
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Certbot so
  making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

Note: If you host several websites on the same domain don’t specify the domain (here example.com).

Change the firewall configuration to allow https:

# firewall-cmd --permanent --add-service=https
# firewall-cmd --reload

Apache Configuration

Install the mod_ssl package if it is not already there:

# yum install -y mod_ssl

Edit the /etc/httpd/conf.d/ssl.conf file, search for the SSLCertificate string and replace as follows:

SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem

In the same file, search for the ServerName string and replace as follows:

ServerName www.example.com:443

Again, search for the SSLProtocol string and replace as follows:

SSLProtocol all -SSLv2 -SSLv3

Search for the SSLCipherSuite string and replace as follows:

SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM \
 EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 \
 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
 EECDH !ECDHE-RSA-DES-CBC3-SHA EDH+aRSA RSA+3DES \
 !aNULL !eNULL !LOW !SEED !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"

Check the validity of the configuration:

# httpd -t
Syntax OK

Restart the Apache webserver:

# apachectl restart

If an error occurs, check the /var/log/httpd/error_log and /var/log/httpd/ssl_error_log files.

Check the virtual host configuration:

# httpd -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  www.example.com (/etc/httpd/conf.d/ssl.conf:56)

Nginx Configuration

Change the listen directive in your server block:

listen 443 http2 ssl;

Note: http2 is optional.

Add the certificate directives to your server block:

ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;

Specify the protocols and cyphers used:

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:\
DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5:!kEDH;

Add a server block to redirect access to port 80 to port 443:

server {
    listen       80;
    server_name  www.example.com;
    return       301 https://www.example.com$request_uri;
}

Test the syntax correctness:

# nginx -t

Restart the Nginx server:

# systemctl restart nginx

If an error occurs, check the /var/log/nginx directory.

Time To Test

To test your new certificate, go to the ssllabs website and type the url of your website.
Similarly, the use of the HTTP/2 protocol can be tested through the Keycdn website.

If your website uses WordPress, there will be some additional WordPress configuration steps to migrate to HTTPS.

Certificate Renewal

Certificates are only valid for 90 days. That means you need to renew them regularly.
Automate this process is a good idea.

Create a file called /etc/letsencrypt/cli.ini and paste the following lines:

authenticator = webroot
webroot-path = /opt/www/html/example
server = https://acme-v01.api.letsencrypt.org/directory
renew-by-default
agree-tos
email = mymail@mail.com

Create a script called /etc/letsencrypt/renew.sh and paste the following lines:

#!/bin/bash
/root/.local/share/letsencrypt/bin/letsencrypt certonly \
-c /etc/letsencrypt/cli.ini -d www.example.com

Uncomment this line if you use Apache
#/bin/systemctl reload httpd

Uncomment this line if you use Nginx
#/bin/systemctl reload nginx

Give execution rights:

# chmod u+x /etc/letsencrypt/renew.sh

Put the script in the root crontab (1 execution per week):

47 5 * * 1 /etc/letsencrypt/renew.sh > /dev/null 2<&1

Additional Resources

The idroot.net website provides a tutorial showing How To Install Let’s Encrypt SSL With Nginx on CentOS 7.