Welcome to the third installment of CentOS 7 LAMP Server Tutorial: Modernized and Explained series. This tutorial is based on the work done in Part 1 and Part 2, so if you have not reviewed them, this is a good time.
In this release, we will secure our new virtual host (lowend-tutorial.tld) with an encrypted SSL certificate from Let. We will install WordPress in Part 4. It will be good to have an SSL certificate installed before installing WordPress.
We will see how the Encrypt SSL certificate is installed and how we can use the certificate. Let us begin!
If you are not familiar with Let's Encrypt, take a moment to visit their website at https://letsencrypt.org/. They are a Certification Authority that offers free SSL certificates to anyone who can prove that they own the domain for which they are trying to obtain an SSL certificate.
The way they do it is through the ACME protocol. You can read more about this on your site, but it works like this: a program on the server (we'll talk about Certbot in a moment) places a code inside a file at http: //lowend-tutorial.tld/somefilename. Then he tells the servers of Let's Encrypt where that file is, and they go looking for it. If the URL exists and loads the encoded message, they know that the request came from the real lowend-tutorial.tld server and they issue a certificate.
That means that http: //lowend-tutorial.tld must be a functioning website before Let's Encrypt issues a certificate. In the last installment we had a job site although it had no content. That will work well for this purpose. As mentioned, the program that controls all this is called Certbot. It's incredible software that makes this whole process seem incredibly simple. Let's install Certbot!
For CentOS 7 we need to install both Certbot and the python module that Certbot uses to integrate with Apache. Use the following command:
yum -y install certbot python2-certbot-apache
Before we can run Certbot and get an SSL certificate from Encrypt, we need to do a little more configuration. HTTPS (SSL) connections occur on port 443 (compared to port 80 for unsecure HTTP connections), so we must allow port 443 to pass through the firewall. Firewalld knows the association between port 443 and https, so we can only enable "https" in Firewalld. Paste the following commands:
firewall-cmd --zone = public --add-service = https --permanent
firewall-cmd - upload
Certbot is smart and knows that we are running the Apache web server, and besides, it is smart enough to know it. how We are running Apache. Actually read the configuration files and react accordingly. You will remember that we created a new Apache VirtualHost in /etc/httpd/sites-enabled/lowend-tutorial.tld.conf. This configuration file is responsible for mapping http: //lowend-tutorial.tld to / home / lowend / public_html and make PHP work.
The first line of /etc/httpd/sites-enabled/lowend-tutorial.tld.conf It looks like this:
This VirtualHost is specific to port 80. But SSL happens on port 443, so it will be necessary to have a new VirtualHost for port 443. What do we need to do to configure everything? Let Certbot do his magic! On the command line, run certbot with the following command:
You will have to answer some questions. If you want your website to be automatically redirected to https: // you can configure it here or you can do it manually later in the website settings. This is how it looked in our VPS:
If you look in / etc / httpd / sites-enabled, you will see a new file, lowend-tutorial.tld-le-ssl.conf. An exam will show that the VirtualHost directive defines a VirtualHost on port 443 and that the entire VirtualHost file is wrapped in tags At the bottom there are some new lines related to SSL certificates. Here are the additions and changes:
... omitting original content from VirtualHost for brevity
You can see how the configuration is SSL-specific. SSL configuration is loaded and routes to SSL certificate files are now included. Certbot did all this for us, and even restarted Apache to enact the changes. Thanks, Certbot!
Let's see if everything worked. Upload your site in a browser, then change the URL to https: //. I should still charge. If not, check ACME errors carefully and make sure that the site was originally loaded with http: //. Also make sure that DNS points to the server correctly. These things explain most of the errors.
Like most good things, Let & # 39; s Encrypt SSL certificates do not last forever. They last 90 days and need to be renewed. If we ask Certbot to run regularly, it will automatically renew any SSL certificate that is less than 29 days from expiration. For that, we're going to use a cron job.
Cron jobs are automated tasks that run on a schedule that we define. These schedules are made in a tabulated file called "crontab". Linux has a built-in function to modify crontabs, but it is based on the use of its own text editor. We prefer nano because of its ease of use vs vim (feel free to disagree, we do not care!) And so we will establish it as our editor before starting to edit things:
echo "export VISUAL = nano"
Since we want this to be the case every time we start session, we will go ahead and add it to /root/.bash_profile. the .bash_profile file is a script that runs every time your user logs in:
echo "export VISUAL = nano" >> ~ / .bash_profile
Now let's edit the crontab file and add a job that will run every 12 hours:
With nano open, paste the following
1 * / 12 * * * certbot renew
That entry tells cron to execute the "certbot renew" command in the first minute of every 12 hours of each day. If there is a certificate that needs to be renewed, it will renew it for us as long as ACME can verify the domain again.
And with that, we're finished. He just installed Certbot, which installed an Encrypt SSL certificate on his CentOS 7 LAMP server. For more information, see the official Let's Encrypt and Certbot documentation. They are a treasure trove of information, especially if you need to solve problems:
In the next installment, we will install WordPress on our new LAMP server and learn to manage it without even leaving the command line. Stay tuned!