LetsEncrypt: Difference between revisions

From Halfface
Jump to navigation Jump to search
(Created page with "==Import private cert to gain access to startssl tools. Or generate new.== www.halfface.se_startssl.p12 ==Validations Wizard== Domain name validation ==Certificates Wizard==...")
 
No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
==Import private cert to gain access to startssl tools. Or generate new.==
Lets encrypt for Fedora. https://fedoramagazine.org/letsencrypt-now-available-fedora/
www.halfface.se_startssl.p12
==Validations Wizard==
Domain name validation
==Certificates Wizard==
Web server ssl/tls Certificate
generate certicate for domain. Do not use csr.
==Remove key from cert.==
openssl rsa -in ssl.key -out www.halfface.se.key
==toolbox Retrieve Certificate==
save as www.halfface.se.crt
vim www.halfface.se.crt


==apache config==
=Had to remove manually installed python modules=
  SSLCertificateFile /etc/httpd/ssl/www.halfface.se.crt
\rm -r /usr/lib/python2.7/site-packages/requests/packages/*
  SSLCertificateKeyFile /etc/httpd/ssl/www.halfface.se.key
 
  SSLCertificateChainFile /etc/httpd/ssl/sub.class1.server.ca.pem
=Install letsencrypt=
  SSLCACertificateFile /etc/httpd/ssl/ca.pem
sudo dnf -y install letsencrypt
 
=manually create certs. Verify that all goes well=
letsencrypt --text --email anden@halfface.se \
--domains www.halfface.se,halfface.se,ldap.halfface.se \
--agree-tos --renew-by-default --manual certonly
 
=Automated updates. Web root verification=
letsencrypt --text --renew-by-default --email anden@halfface.se \
--domains www.halfface.se,halfface.se,ldap.halfface.se \
--agree-tos --webroot --webroot-path /var/www/html/www-halfface certonly
 
=Fix selinux.=
semanage fcontext -a -t cert_t '/etc/letsencrypt/(archive|live)(/.*)?'
restorecon -Rv /etc/letsencrypt
 
=Link to certs in proper location.=
ln -s /etc/letsencrypt/live/www.halfface.se/cert.pem /etc/pki/tls/certs/www.halfface.se.crt
ln -s /etc/letsencrypt/live/www.halfface.se/chain.pem /etc/pki/tls/certs/www.halfface.se.chain.crt
ln -s /etc/letsencrypt/live/www.halfface.se/privkey.pem /etc/pki/tls/private/www.halfface.se.key
 
=Add correct paths to certs in http config.=
  SSLCertificateFile /etc/pki/tls/certs/www.halfface.se.crt
  SSLCertificateKeyFile /etc/pki/tls/private/www.halfface.se.key
  SSLCertificateChainFile /etc/pki/tls/certs/www.halfface.se.chain.crt
 
=Remove old certs.=
  rm -r /etc/httpd/ssl/
 
=restart to take effect.=
systemctl restart httpd

Latest revision as of 23:10, 6 January 2017

Lets encrypt for Fedora. https://fedoramagazine.org/letsencrypt-now-available-fedora/

Had to remove manually installed python modules

\rm -r /usr/lib/python2.7/site-packages/requests/packages/*

Install letsencrypt

sudo dnf -y install letsencrypt

manually create certs. Verify that all goes well

letsencrypt --text --email anden@halfface.se \
--domains www.halfface.se,halfface.se,ldap.halfface.se \
--agree-tos --renew-by-default --manual certonly

Automated updates. Web root verification

letsencrypt --text --renew-by-default --email anden@halfface.se \
--domains www.halfface.se,halfface.se,ldap.halfface.se \
--agree-tos --webroot --webroot-path /var/www/html/www-halfface certonly

Fix selinux.

semanage fcontext -a -t cert_t '/etc/letsencrypt/(archive|live)(/.*)?'
restorecon -Rv /etc/letsencrypt

Link to certs in proper location.

ln -s /etc/letsencrypt/live/www.halfface.se/cert.pem /etc/pki/tls/certs/www.halfface.se.crt
ln -s /etc/letsencrypt/live/www.halfface.se/chain.pem /etc/pki/tls/certs/www.halfface.se.chain.crt
ln -s /etc/letsencrypt/live/www.halfface.se/privkey.pem /etc/pki/tls/private/www.halfface.se.key

Add correct paths to certs in http config.

SSLCertificateFile /etc/pki/tls/certs/www.halfface.se.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.halfface.se.key
SSLCertificateChainFile /etc/pki/tls/certs/www.halfface.se.chain.crt

Remove old certs.

rm -r /etc/httpd/ssl/

restart to take effect.

systemctl restart httpd