In this tutorial, I would like to demonstrate how to use Letsencrypt ssl for a non standard web ports other than 80, 443 to generate a SSL certificate for an Apache. If you wish, you can follow same method to implement SSL on other web servers such as nginx and Tomcat as well. If you are new to Letsencrypt SSL, here is the brief introduction . Letsencrypt is a free, and non-profit CA (certificate authority) which owned by Internet Security Research Group (ISRG).
please note this is done on Centos 7
01) Install cerbot
first enable the EPEL repository
how to enable EPEL repo on RHEL / Centos read this and enable EPEL optional channel
then install cerbot using yum as follows
#yum install certbot
02) Install SSL certificate
execute following as root
#certbot certonly –manual –preferred-challenges dns
This is the most important command, because we generate certificate manually even though cerbot provide Apache plugin. manually generated certificates are flexible so we can integrate it to any preferred web server later 🙂 . preferred-challenges is set to dns, so domain verification is done using TXT records
After that you will get similar wizard like following image. once you submit the domain. it will give DNS TXT record as challenge
. you must create it before continue. Then after it will generate ssl certificate for your domain.
03) Configure SSL on Apache
you can use following Apache virtual-host config template
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
<VirtualHost *:65006> SSLEngine on SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:E CDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; SSLHonorCipherOrder on <Directory /opt/web/testsite> AllowOverride All </Directory> DocumentRoot /opt/web/testsite ServerName yourdomain.com DirectoryIndex index.html index.php </VirtualHost> |
04) SSL renewal
you can renew SSL certificate automatically. Add new cron just like following which runs renewal process every week. It’s recommended to reload / restart apache server, so in next line we do restart apache process as well
1 2 3 |
### Cerbot SSL Renew 0 3 * * 1 /usr/bin/certbot renew --quiet > /tmp/cerbot.txt 10 3 * * 1 /usr/local/apache2/bin/apachectl -k restart |