Quick install SSL - Let’s Encrypt Apache/ Python3 ~ Centos7

 yum install httpd

systemctl enable httpd
vim /etc/httpd/conf.d/domain.com.conf
Add the following lines:
<VirtualHost *:80>
    ServerAdmin admin@domain.com
    DocumentRoot "/var/www/html"
    DirectoryIndex index.html
    ServerName domain.com
    ErrorLog "/var/log/httpd/domain.com.error_log"
    CustomLog "/var/log/httpd/domain.com.access_log" common
vim /var/www/html/index.html
Test - Welcome to The Apache Web Server.
sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip

sudo /opt/certbot/bin/pip install certbot

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

sudo certbot certonly --standalone
Test the renewal process manually with the following command.
certbot renew --dry-run
To do so, edit the crontab with the following command:

crontab -e

Add the following line:

* */12 * * * root /usr/bin/certbot renew >/dev/null 2>&1

[Monthly] Upgrade certbot
It's important to occasionally update Certbot to keep it up-to-date. To do this, run the following command on the command line on the machine.

sudo /opt/certbot/bin/pip install --upgrade certbot

Move to another server:

You can copy the entire dir /etc/letsencrypt/ and restore it on your new server.

Old server (as root):

tar zpcvf backup_etc-letsencrypt_2018-Nov-20.tar.gz /etc/letsencrypt/
Now transfer the file to the new server.

New server (as root):
tar zxvf backup_etc-letsencrypt_2018-Nov-20.tar.gz -C /

And you have all the certificates, renewal confs, etc. on your new server.

 Allow user bind privileged port
For some reason no one mention about lowering sysctl net.ipv4.ip_unprivileged_port_start to the value you need. Example: We need to bind our app to 443 port.

sysctl net.ipv4.ip_unprivileged_port_start=443
Some may say, there is a potential security problem: unprivileged users now may bind to the other privileged ports (444-1024). But you can solve this problem easily with iptables, by blocking other ports:
iptables -I INPUT -p tcp --dport 444:1024 -j DROP
iptables -I INPUT -p udp --dport 444:1024 -j DROP





Post a Comment

Vui lòng tuân thủ một số quy tắc sau:

» Nội dung phải liên quan tới chủ đề bài viết, không spam.
» Viết bằng tiếng Việt có dấu hoặc tiếng Anh.

Hi vọng các bạn tìm được những kiến thức bổ ích khi tình cờ ghé thăm blog này.