I had a situation where I do not wanted to install all the libs required by LetsEncrypt on a production server. For the mere fear of breaking the running apps.
I went on exploring how to setup a server to generate SSL certs with letsencrypt and deploy the generated certs on the production server. Below I describe the steps with some do’s and don’t.
My setup was:
OS: CentOS 6.4
Webserver: Apache (on the production server)
I started with setting up and installing letsencrypt on the certificate server.
Step 1: Install dependent libs:
# Install Epel Repository $yum install epel-release # Install IUS Repository for CentOS 6 $rpm -ivh https://rhel6.iuscommunity.org/ius-release.rpm
# Install IUS Repository for CentOS 7 $rpm -ivh https://rhel7.iuscommunity.org/ius-release.rpm
# Install Python 2.7 and Git $yum --enablerepo=ius install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv -y
Step 2: Setup letsencrypt
# Clone the github repository of Let's encrypt $cd /root/ $git clone https://github.com/letsencrypt/letsencrypt # cd to the letsencrypt directory $cd letsencrypt # Run the auto installer. This will install all the dependent packages needed by letsencrypt $./letsencrypt-auto
At this stage your certificate server / machine is ready to generate SSL Certificates using letsencrypt.
Step 3: Generate certificate for the target domain
Now its time to execute letsencrypt and generate ssl cert for the target domain. I was running redmine on my production server which is a Rails based application. My domain was proportal.insafehands.co.in. Please replace this with the domain of your choice.
Note: please disable the https redirection on your production server (if enabled) for this domain.
Now run the command:
# Generate certificate for proportal.insafehands.co.in $./letsencrypt-auto certonly -d proportal.insafehands.co.in -v -a manual
The command will pause half way and ask you to create a digest url on the production server for validation purpose. Something like below:
------------------------------------------------------------------------------- Make sure your web server displays the following content at http://proportal.insafehands.co.in/.well-known/acme-challenge/2yIEPwlduD3W98Vj4TdNC6n4ReJF0HLUaeYBpO7wbXo before continuing: 2yIEPwlduD3W98Vj4TdNC6n4ReJF0HLUaeYBpO7wbXo.TwYslJwW2xZcs_O8bH2tipRKzF5HsF3ZClnyttMc93s If you don't have HTTP server configured, you can run the following command on the target server (as root): mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge cd /tmp/certbot/public_html printf "%s" 2yIEPwlduD3W98Vj4TdNC6n4ReJF0HLUaeYBpO7wbXo.TwYslJwW2xZcs_O8bH2tipRKzF5HsF3ZClnyttMc93s > .well-known/acme-challenge/2yIEPwlduD3W98Vj4TdNC6n4ReJF0HLUaeYBpO7wbXo # run only once per server: $(command -v python2 || command -v python2.7 || command -v python2.6) -c \ "import BaseHTTPServer, SimpleHTTPServer; \ s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \ s.serve_forever()" -------------------------------------------------------------------------------
Follow the instruction and proceed after you have created the url. If the url is setup properly then you will see a success message with generated ssl certs.
Step 4: Deploying the certs on the production server.
Two files mainly the cert and the key what you need on your production server. To simplify, I copied all the generated files over.
# Copy files to the production server $scp -r /etc/letsencrypt/live/proportal.insafehands.co.in user@proportal.insafehands.co.in:/etc/letsencrypt/certs/
Setp 5: Configure the production server
We need to tell Apache where the newly created SSL certs are. In my case the Apache ssl conf file was located at /etc/httpd/conf.d/ssl.conf. Edit the respective file for your Apache version. We need to change below two fields in the conf file and restart Apache.
SSLCertificateFile /etc/letsencrypt/certs/cert.pem SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
Refresh your browser and enjoy the green bar. You can further optimize this to renew and redeploy the cert on regular basis. Stay tuned for my next article on this.
[tweetthis]Letsencrypt – Generating SSL certificate and deploying on the production server[/tweetthis]