{"id":519,"date":"2017-03-10T10:05:44","date_gmt":"2017-03-10T09:05:44","guid":{"rendered":"http:\/\/btrnaidu.com\/?p=519"},"modified":"2017-04-19T16:18:36","modified_gmt":"2017-04-19T14:18:36","slug":"letsencrypt-generating-certificate-and-deploy-on-production-server","status":"publish","type":"post","link":"https:\/\/btrnaidu.com\/index.php\/letsencrypt-generating-certificate-and-deploy-on-production-server\/","title":{"rendered":"Letsencrypt – Generating certificate and deploy on production server"},"content":{"rendered":"

I had a situation where I do not wanted to install all the libs required by LetsEncrypt<\/a> on a production server. \u00a0For the mere fear of breaking the running apps.<\/p>\n

I went on exploring how to\u00a0setup a server to generate SSL certs with letsencrypt and deploy\u00a0the generated certs on the production server. \u00a0Below I describe the steps with some do’s and don’t.<\/p>\n

My setup was:<\/p>\n

OS: CentOS 6.4
\nWebserver: Apache (on the production server)<\/p>\n

I started with setting up and installing letsencrypt on the certificate server.<\/p>\n

Step 1:<\/strong> Install dependent libs:<\/p>\n

# Install Epel Repository<\/span>\r\n$yum install epel-release<\/span>\r\n\r\n# Install IUS Repository for CentOS 6<\/span>\r\n$rpm -ivh https:\/\/rhel6.iuscommunity.org\/ius-release.rpm\r\n\r\n<\/span><\/pre>\n
# Install IUS Repository for CentOS 7<\/span>\r\n$rpm -ivh https:\/\/rhel7.iuscommunity.org\/ius-release.rpm<\/span><\/pre>\n
# Install Python 2.7 and Git<\/span> $yum --enablerepo=ius install git python27 python27-devel python27-pip python27-setuptools python27-virtualenv -y<\/span><\/pre>\n
Step 2:<\/strong> Setup letsencrypt<\/p>\n
# Clone the github repository of Let's encrypt<\/span>\r\n$cd \/root\/<\/span>\r\n $git clone https:\/\/github.com\/letsencrypt\/letsencrypt<\/span>\r\n\r\n# cd to the letsencrypt directory<\/span>\r\n$cd letsencrypt<\/span>\r\n\r\n# Run the auto installer. \u00a0This will install all the dependent packages needed by letsencrypt<\/span>\r\n$.\/letsencrypt-auto<\/span><\/pre>\n
At this stage your certificate\u00a0server \/ machine is ready to generate SSL Certificates using letsencrypt.<\/p>\n
Step 3:<\/strong> Generate certificate for the target domain<\/p>\n
N<\/strong><\/span>ote: please disable the https redirection on your production server (if enabled) for this domain.<\/p>\n
Now run the command:<\/p>\n
# Generate certificate for proportal.insafehands.co.in\u00a0<\/span>\r\n$.\/letsencrypt-auto certonly -d proportal.insafehands.co.in -v -a manual<\/span><\/pre>\n
The command will pause half way and ask you to create a digest url on the production server for validation purpose. \u00a0Something like below:<\/p>\n
-------------------------------------------------------------------------------<\/span>\r\nMake sure your web server displays the following content at<\/span>\r\nhttp:\/\/proportal.insafehands.co.in\/.well-known\/acme-challenge\/2yIEPwlduD3W98Vj4TdNC6n4ReJF0HLUaeYBpO7wbXo before continuing:<\/span>\r\n\r\n2yIEPwlduD3W98Vj4TdNC6n4ReJF0HLUaeYBpO7wbXo.TwYslJwW2xZcs_O8bH2tipRKzF5HsF3ZClnyttMc93s<\/span>\r\n\r\nIf you don't have HTTP server configured, you can run the following<\/span>\r\ncommand on the target server (as root):<\/span>\r\n\r\nmkdir -p \/tmp\/certbot\/public_html\/.well-known\/acme-challenge<\/span>\r\ncd \/tmp\/certbot\/public_html<\/span>\r\nprintf \"%s\" 2yIEPwlduD3W98Vj4TdNC6n4ReJF0HLUaeYBpO7wbXo.TwYslJwW2xZcs_O8bH2tipRKzF5HsF3ZClnyttMc93s > .well-known\/acme-challenge\/2yIEPwlduD3W98Vj4TdNC6n4ReJF0HLUaeYBpO7wbXo<\/span>\r\n# run only once per server:<\/span>\r\n$(command -v python2 || command -v python2.7 || command -v python2.6) -c \\<\/span>\r\n\"import BaseHTTPServer, SimpleHTTPServer; \\<\/span>\r\ns = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \\<\/span>\r\ns.serve_forever()\"<\/span>\r\n-------------------------------------------------------------------------------<\/span><\/pre>\n
Follow the instruction and proceed after you have created the url. \u00a0If the url is setup properly then you will see a success message with generated ssl certs.<\/p>\n
Step 4:<\/strong> Deploying the certs on the production server.<\/p>\n
Two files mainly the cert and the key what you need on your production server. \u00a0To simplify, I copied all the generated files over.<\/p>\n
# Copy files to the production server<\/span>\r\n$scp -r \/etc\/letsencrypt\/live\/proportal.insafehands.co.in user@proportal.insafehands.co.in:\/etc\/letsencrypt\/certs\/<\/span><\/pre>\n
Setp 5:<\/strong> Configure the production server<\/p>\n
We need to tell Apache where the newly created SSL certs are. \u00a0In my case the Apache ssl conf file was located at\u00a0\/etc\/httpd\/conf.d\/ssl.conf. \u00a0Edit the respective file for your Apache version. \u00a0We need to change below two fields in the conf file and restart Apache.<\/p>\n
SSLCertificateFile \/etc\/letsencrypt\/certs\/cert.pem <\/span>\r\nSSLCertificateKeyFile \/etc\/letsencrypt\/certs\/privkey.pem<\/span><\/pre>\n
Refresh your browser and enjoy the green\u00a0bar. \u00a0You can further optimize this to renew and redeploy the cert on regular basis. \u00a0Stay tuned for my next article on this.<\/p>\n
[tweetthis]Letsencrypt – Generating SSL certificate and deploying on the production server[\/tweetthis]<\/p>\n","protected":false},"excerpt":{"rendered":"
I had a situation where I do not wanted to install all the libs required by LetsEncrypt on a production server. \u00a0For the mere fear of breaking the running apps. I went on exploring how to\u00a0setup a server to generate SSL certs with letsencrypt and deploy\u00a0the generated certs on the production server. \u00a0Below I describe … Continue reading Letsencrypt – Generating certificate and deploy on production server<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[156,140,125],"tags":[163,164,166,165,141],"class_list":["post-519","post","type-post","status-publish","format-standard","hentry","category-centos","category-letsencrypt","category-linux","tag-apache","tag-centos","tag-certificate","tag-ssl","tag-letsencrypt"],"_links":{"self":[{"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/posts\/519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/comments?post=519"}],"version-history":[{"count":13,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/posts\/519\/revisions"}],"predecessor-version":[{"id":539,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/posts\/519\/revisions\/539"}],"wp:attachment":[{"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/media?parent=519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/categories?post=519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/btrnaidu.com\/index.php\/wp-json\/wp\/v2\/tags?post=519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Now its time to execute letsencrypt and generate ssl cert for the target domain. \u00a0I was running redmine<\/a>\u00a0on my production server which is a\u00a0Rails based application. \u00a0My domain was proportal.insafehands.co.in<\/span>. \u00a0Please replace this with the domain of your choice.<\/p>\n