LetsEncrypt

From Halfface
Revision as of 23:10, 6 January 2017 by Ekaanbj (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Lets encrypt for Fedora. https://fedoramagazine.org/letsencrypt-now-available-fedora/

Had to remove manually installed python modules

\rm -r /usr/lib/python2.7/site-packages/requests/packages/*

Install letsencrypt

sudo dnf -y install letsencrypt

manually create certs. Verify that all goes well

letsencrypt --text --email anden@halfface.se \
--domains www.halfface.se,halfface.se,ldap.halfface.se \
--agree-tos --renew-by-default --manual certonly

Automated updates. Web root verification

letsencrypt --text --renew-by-default --email anden@halfface.se \
--domains www.halfface.se,halfface.se,ldap.halfface.se \
--agree-tos --webroot --webroot-path /var/www/html/www-halfface certonly

Fix selinux.

semanage fcontext -a -t cert_t '/etc/letsencrypt/(archive|live)(/.*)?'
restorecon -Rv /etc/letsencrypt

Link to certs in proper location.

ln -s /etc/letsencrypt/live/www.halfface.se/cert.pem /etc/pki/tls/certs/www.halfface.se.crt
ln -s /etc/letsencrypt/live/www.halfface.se/chain.pem /etc/pki/tls/certs/www.halfface.se.chain.crt
ln -s /etc/letsencrypt/live/www.halfface.se/privkey.pem /etc/pki/tls/private/www.halfface.se.key

Add correct paths to certs in http config.

SSLCertificateFile /etc/pki/tls/certs/www.halfface.se.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.halfface.se.key
SSLCertificateChainFile /etc/pki/tls/certs/www.halfface.se.chain.crt

Remove old certs.

rm -r /etc/httpd/ssl/

restart to take effect.

systemctl restart httpd