Quick install SSL - Let’s Encrypt Apache/ Python3 ~ Centos7

 yum install httpd

systemctl enable httpd

vim /etc/httpd/conf.d/domain.com.conf
Add the following lines:
VirtualHost>    
ServerAdmin admin@domain.com
    DocumentRoot "/var/www/html"
    DirectoryIndex index.html
    ServerName domain.com
    ErrorLog "/var/log/httpd/domain.com.error_log"
    CustomLog "/var/log/httpd/domain.com.access_log" common
</VirtualHost>

vim /var/www/html/index.html
Add:
<html>
Test - Welcome to The Apache Web Server.
</html>

Create cert:
sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip

sudo /opt/certbot/bin/pip install certbot

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

sudo certbot certonly --standalone

Test the renewal process manually with the following command.
certbot renew --dry-run
To do so, edit the crontab with the following command:
crontab -e

Add the following line:

* */12 * * * root /usr/bin/certbot renew >/dev/null 2>&1

[Monthly] Upgrade certbot
It's important to occasionally update Certbot to keep it up-to-date. To do this, run the following command on the command line on the machine.

sudo /opt/certbot/bin/pip install --upgrade certbot

Move to another server:

You can copy the entire dir /etc/letsencrypt/ and restore it on your new server.

Old server (as root):

tar zpcvf backup_etc-letsencrypt_2018-Nov-20.tar.gz /etc/letsencrypt/
Now transfer the file to the new server.

New server (as root):
tar zxvf backup_etc-letsencrypt_2018-Nov-20.tar.gz -C /

And you have all the certificates, renewal confs, etc. on your new server.
 

 Allow user bind privileged port
For some reason no one mention about lowering sysctl net.ipv4.ip_unprivileged_port_start to the value you need. Example: We need to bind our app to 443 port.

sysctl net.ipv4.ip_unprivileged_port_start=443
Some may say, there is a potential security problem: unprivileged users now may bind to the other privileged ports (444-1024). But you can solve this problem easily with iptables, by blocking other ports:
iptables -I INPUT -p tcp --dport 444:1024 -j DROP
iptables -I INPUT -p udp --dport 444:1024 -j DROP

#----------

https://dade2.net/kb/how-to-install-and-configure-certbot-on-apache-centos/
https://certbot.eff.org/lets-encrypt/pip-other

https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux




Viết nhận xét

Các bạn có thể viết lời nhận xét cho bài viết, nhưng cần tuân thủ một số quy tắc sau:

» Các nhận xét/bình luận phải nghiêm túc, không dung tục, không spam.
» Nội dung phải liên quan tới chủ đề bài viết.
» Viết bằng tiếng việt có dấu hoặc tiếng Anh. Nội dung viết không dấu sẽ bị xóa.
» Hãy để lại tên của bạn khi nhận xét/bình luận, để tôi có thể dễ dàng trả lời bạn khi cần.