การติดตั้ง Let’s Encrypt SSL Certificate บน Apache

การติดตั้ง Let’s Encrypt SSL Certificate บน Apache
ขั้นตอน
1. ใช้คำสั่ง ssh เพื่อเข้าสู่ Server ในที่นี้ทดสอบชื่อ DNS แบบเต็มเป็น  www.sysadmin.test
sudo ssh -l root www.sysadmin.test

หรือหากเข้าระบบด้วยชื่อผู้ใช้ให้สั่งเป็น
sudo ssh -l user_name www.sysadmin.test
sudo -s

2. ติดตั้ง Let’s Encrypt (Certbot)
sudo dnf install epel-release
sudo dnf install certbot python3-certbot-apache mod_ssl

Note. กรณีใช้ Nginx ให้สั่งเป็น
# dnf install certbot python3-certbot-nginx

3. ตรวจสอบเวอร์ชั่น certbot
sudo certbot –version
certbot 2.1.0

4. ทดสอบสร้าง Let’s Encrypt SSL Certificate ฟรีสำหรับ Apache Web Server
(ใบรับรอง SSL/TLS แบบฟรี แบบ Stand Alone ต้องทำการปิดบริการ Apache ก่อน)
sudo systemctl stop httpd
ss -tln

5. สร้างใบรับรอง
certbot certonly –apache
หรือ
sudo certbot –apache -d sysadmin.test
————————-
Note. กรณีใช้ nginx
certbot –nginx
————————–
กำหนดอีเมลของผู้ดูแลระบบ
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel): yourusername@youremaildomain.com

อ่านรายละเอียดยอมรับเงื่อนไข
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(Y)es/(N)o:

Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot? We’d like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(Y)es/(N)o:

Which names would you like to activate HTTPS for?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: yourdomain.com
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter ‘c’ to cancel):

Requesting a certificate for yourdomain.com Performing the following challenges: http-01 challenge for yourdomain.com Waiting for verification… Cleaning up challenges Subscribe to the EFF mailing list (email: yourusername@youremaildomain.com). IMPORTANT NOTES: – Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem Your certificate will expire on 2021-07-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run “certbot renew” – If you like Certbot, please consider supporting our work by: Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

6. กำหนดรายละเอียดในไฟล์ปรับแต่ง

<VirtualHost *:80>
ServerName www.yourdomain.com
ServerAdmin username@yourdomain.com
Redirect / https://www.yourdomain.com/
</VirtualHost>

<Virtual Host *:443>
ServerName www.yourdomain.com
ServerAdmin username@yourdomain.com
DocumentRoot /var/www/sub-domains/com.yourdomain.www/html
DirectoryIndex index.php index.htm index.html
Alias /icons/ /var/www/icons/
# ScriptAlias /cgi-bin/ /var/www/sub-domains/com.yourdomain.www/cgi-bin/

CustomLog “/var/log/httpd/com.yourdomain.www-access_log” combined
ErrorLog “/var/log/httpd/com.yourdomain.www-error_log”

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384
:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem

<Directory /var/www/sub-domains/com.yourdomain.www/html>
Options -ExecCGI -Indexes
AllowOverride None

Order deny,allow
Deny from all
Allow from all

Satisfy all
</Directory>
</VirtualHost>
————————————–
สั่งรันอัตโนมัต

certbot renew –dry-run


ที่มา:
– https://docs.rockylinux.org/guides/security/generating_ssl_keys_lets_encrypt/
– https://www.tecmint.com/setup-https-with-lets-encrypt-ssl-certificate-for-nginx-on-centos/
– https://www.tecmint.com/secure-apache-with-ssl-in-rocky-linux/
– https://upcloud.com/resources/tutorials/install-lets-encrypt-apache



Write by SysAdmin Knowledge
https://www.sysadmin.in.th
February 9, 2023