lets encrypt, with Centos 6.
Posted 05 December, 2015
Note : There are alternatives ways of getting lets encrypt to work in non-default environments, one is described in my new article : Let’s Encrypt on … any Linux distro
Let’s encrypt the web, an easy, automated and free method to get https for your website. I already explained how you could install letsencrypt on centos 6.7, but things on the interwebz go fast. So fast that in fact the tutorial is already deprecated. Since *beta* support has been added for Python 2.6, now Centos 6.X should work out of the box. Spoiler : it doesn’t yet. (hence the beta label by letsencrypt) This guide should help to get https in a not yet fully supported environments (such as Centos 6). As you might have noticed, also svennd.be is now running on https! (not cause its really necessary, but it is cool isn’t it ? :P)
My start point
- I have a Centos 6.X configured and yum-cron updated nightly
- I have apache (http) running multiple domains and is a bit configured
- I have 0 experience with SSL setup in http (Trust me, I have never done this before, successfully)
Let’s Encrypt the web, this is where my https story began!
Getting the certificate
The first part is easy, the docs help out allot and since we all read them just after the terms and services. Right guys/gals ?
# copy the software cd /opt git clone git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
Now the next part would be to start the tool and it should help you there, the problem is, this requires to bind to port 80, which is obviously in use, by apache (httpd). So that won’t work, also if you run this with Python 2.6 (Centos 6X) you will get a warning and it won’t wanne do anything without you telling it to go in --debug mode.
There is however an alternative plugin included, which uses the webroot of the domain (in Apache words : DocumentRoot). Now Let’s Encrypt does not give out wildcard certificates, which means that you do not get *.svennd.be validated, instead you can get www.svennd.be, svennd.be, alfa.svennd.be, beta.svennd.be, … just remember that you have to request those at the same time when you request the certificate, if you repeat the process, they won’t work. Since we aim to automate, I like to use as little as possible command line arguments, so I made a config file.
create /etc/letsencrypt/cli.ini
# the default is 2048 (more is better) rsa-key-size = 4096 # plugin authenticator = webroot # webroot webroot-path = /var/www/svennd/ # domains domains = svennd.be,www.svennd.be # flags # renew is good for automation renew-by-default
Note : change the domain names to your domain name(s).
Now we can run the tool :
/opt/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini --debug certonly
Since I am on a not supported system I need the --debug flag. If everything goes as planned you should be congratulated as followed :
Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.svennd.be/fullchain.pem. Your cert will expire on 2016-03-04. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Possible errors
Since It already took me some time to get here know that these errors are also rather common;
error:connection
The following 'urn:acme:error:connection' errors were reported by the server:
Which means it has no access to the server in general, best start point would be to check firewall or connection setting. The server should be publicly accessible during the webroot challenge.
error:unauthorized
FailedChallenges: Failed authorization procedure. cert.svennd.be (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cert.svennd.be/.well-known/acme-challenge/SOME_HASH [128.199.41.151]: 404
I banged my head on this one, I received this error when I moved my website and configuration from http to https, this made the location unreachable. But it would be something you would also receive if your webroot is different from normal and you just copy-pasted the config. The webroot is the directory where users get their “index.php/html/asp/…” page from. For allot users thats somewhere here : /var/www/public_html/my_domain/ If you are not sure, its DocumentRoot in the configuration of Apache. Another way to know is to create a file “test.html” and go to your website : domain.ext/test.html a 404 means its not in the right directory. (you expect an empty white page) Be sure that yourdomain.ext/.well-known/* is accessible ! Thx to Luis for pointing this out.
error:rateLimited
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: svennd.be
This happens when you have played to much with them 😀 The solution is simple and hard, its called : wait it out. As long as the beta is in, they will rateLimit rather strongly, I believe not to many people will see this, after the initial beta period.
error code 1 in cryptography
Command "/root/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-cAuqmP/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-rhCaoe-record/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography" failed with error code 1 in /tmp/pip-build-cAuqmP/cryptography
This happened due to limited resources during cryptokey generation. The solution was to create more free memory, although one should never go straight to production server without testing SSL first. Stopping the memory hog would help.
Errno 22
OSError: [Errno 22] Invalid argument: ‘/etc/letsencrypt/live/cert.pem’ letsencrypt
It only happened during a server move, see the post.
Activate the SSL in Apache
Now I assume somehow you got to the point where you got congratulated and created the certificate. This would mean that you got four new files in /etc/letsencrypt/live/www.svennd.be/ , you would see cert.pem, chain.pem, fullchain.pem, privkey.pem.
I have Apache 2.2.15 (yum info httpd) and by default it won’t listen to port 443. So we need to add this :
In /etc/httpd/conf/httpd.conf find Listen 80 and add
Listen 443
After that you can adapt your virtualhost website configuration, I work with VirtualHost *:80. My config looked like this :
<VirtualHost *:80>
# server setup
ServerName svennd.be
ServerAlias www.svennd.be
ServerAdmin [email protected]
DocumentRoot /var/www/svennd
<Directory "/var/www/svennd">
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
I wanted to have both http and https running and after that is working (you want to check if everything works in https first)! Permanently redirect all traffic to https. To do that pretty much copy the virtualhost 80 to virtualhost 443. (full example, change to your domain!)
LoadModule ssl_module modules/mod_ssl.so <VirtualHost *:443> # server setup ServerName svennd.be ServerAlias www.svennd.be ServerAdmin [email protected] DocumentRoot /var/www/svennd # ssl setup SSLEngine ON SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" SSLCertificateFile /etc/letsencrypt/live/www.svennd.be/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.svennd.be/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/www.svennd.be/chain.pem <Directory "/var/www/svennd"> AllowOverride All Order allow,deny Allow from all </Directory> </VirtualHost> <VirtualHost *:80> # server setup ServerName svennd.be ServerAlias www.svennd.be DocumentRoot /var/www/svennd <Directory "/var/www/svennd"> AllowOverride All Order allow,deny Allow from all </Directory> </VirtualHost>
I also added that httpd has to load the ssl module, on default installation however ssl module is not installed! Fix that with : yum install mod_ssl . After that remove /etc/httpd/conf.d/ssl.conf or comment it.
Now you have to restart your httpd service, before doing so test if the config is right : service httpd configtest
You expect : Syntax OK. If that is the case restart your webserver :
service httpd restart
Now both http and https should be available; If its not, first check if your firewall allows connections on 443. For me it did not, I filter on INPUT rules, so I only had to add it there :
# add it iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # save it service iptables save
Then my WordPress took both https and http. Next part is probably only for WP owners, so you can skip that.
Getting WordPress to play nice with Lets-encrypt ssl
Adapting WordPress itself is rather easy, in wp-admin -> Settings -> General -> change WP address and site address to both https://domain.ext. After that, I noticed most of my images where broken due to using http:// (note : you would get mixed error, I already adapted my .htaccess) You could change that using MySQL query (source):
UPDATE wp_posts
SET post_content = ( Replace (post_content, 'src="http://', 'src="//') )
WHERE Instr(post_content, 'jpeg') > 0
OR Instr(post_content, 'jpg') > 0
OR Instr(post_content, 'gif') > 0
OR Instr(post_content, 'png') > 0;
That’s all !
All http request redirected to https, except for .well-known for renewal
I had to allow .well-known to be served over http, otherwise we can’t renew the certificate. This is my .htaccess (from WP), this is useful tool for testing .htaccess files.
RewriteEngine On
# HTTP REDIRECT
# its a http page request
RewriteCond %{HTTPS} off
# its not .well-known
RewriteCond %{REQUEST_URI} !\.well-known
# perm redirect to https version
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
# WORDPRESS REDIRECT
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
note : Change R to R=301 once you have tested this configuration. (that is permanent)
Now add a cron, I added this /etc/cron.weekly/certificate
#!/bin/sh /opt/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/cli.ini --debug certonly EXITVALUE=$? if [ $EXITVALUE != 0 ]; then /usr/bin/logger -t letsencrypt "ALERT exited abnormally with [$EXITVALUE]" fi exit 0
This should update you’re SSL certificate every week, this leaves enough time for you to see if something is not running as expected. If you should miss it don’t worry, let’s encrypt has you’re email adres for just that case. You get a nice e-mail warning you :
Hello, Your certificate (or certificates) for the names listed below will expire in 13 days (on 2016-02-03 12:18:00 +0000 UTC). Please make sure to renew your certificate before then, or visitors to your website will encounter errors. example.ext For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email. Regards, The Let's Encrypt Team
After you moved over, dump your url in ssllabs to see your SSL rating, some tweaks might be needed to get you to A+, but I believe its definitely worth it! (svennd.be is now A+)
Encrypted a tiny part of the web !
Green lock! Already feel allot safer!
This seems like something to print out and put in a frame!
If you enjoyed this article, please consider buying me a Dr Pepper.
Fuel the beast!
Buy me a Dr Pepper
[…] lets encrypt, with Centos 6. | SvennD 5 December, 2015 @ 15:03 […]
5 December, 2015 at 18:37Hello,
I’m struggling with this error: urn:acme:error:unauthorized :: The client lacks sufficient authorization
What can I do to fix it? Thanks
8 December, 2015 at 20:56Hey Luis, You need to check the lines above and below (feel free to add them here). As I understand it means letsencrypt cannot get to your server/location to check if the file/hash is there. So generally it cannot prove you are the owner of the domain and therefor will fail. (firewall ?)
8 December, 2015 at 21:09Thanks for answering,
Here’s a print: http://postimg.org/image/ggdv1hvhj/
I believe it’s related to python version…
8 December, 2015 at 21:58Hey Luis, No the version just generates those deprecated bugs, it should work. Could you try and create a file in .well-known/acme-challenge/ and see if you can get to it from your browser ? Also check the permissions, I ran everything as root, but to access it, you need to chown the directorys to www-data or apache.
8 December, 2015 at 22:08I created a .txt inside /domain.com/.well-known/acme-challenge/ but I can’t seem to reach it from the browser. I did chown the directories to apache too…
8 December, 2015 at 23:38… For some weird reason, the configuration file didn’t have the right website root, hence .well-known not being created inside /public_html/. It worked just fine now. I’m not very experienced with this stuff yet. Feel free to delete the comments below. Thanks for your help.
9 December, 2015 at 00:11Hey Luis, good to hear it worked out for you. I don’t have much experience either, thats why I share it! I slightly adapted my post to be more clear, in fact I have a not default location for my webroot. (/var/www/svennd/, on most hosts it would indeed be /var/www/public_html/svennd/)
9 December, 2015 at 09:33I have been studying the other **undefined symbol** issues and I can not find anyone with my exact issue. I am on **CentOS6.7**. What is driving me crazy is I have Letsencrypt working on a different CentOS6.7 installation so I know it can work.
When I run :
>/Timstmp/Letsencrypt-Source/letsencrypt/letsencrypt-auto --config /Timstmp/Letsencrypt-Source/ssl-certs/cli.ini --debug certonly
I get this error:
>File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 14, in from cryptography.hazmat.bindings._openssl import ffi, lib ImportError: /root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: **EC_GROUP_new_curve_GF2m**
FYI the “cli.ini” file contains these lines:
# the default is 2048 (more is better)
rsa-key-size = 4096
# plugin
authenticator = webroot
# webroot
webroot-path = /home/baystate/public_html
# domains
domains = baystate.academy,www.baystate.academy
# flags
# renew is good for automation
renew-by-default
My first thought was it must be **openssl** but that does not seem to be a problem.
Here are my **openssl version -a** results:
>(letsencrypt)[email protected] [/Timstmp/Letsencrypt-Source2/letsencrypt]# openssl version -a
>OpenSSL 1.0.1e-fips 11 Feb 2013
>built on: Thu Jan 7 19:19:21 UTC 2016
>platform: linux-x86_64
>options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
>compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT >-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe >-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 >-mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
>OPENSSLDIR: "/etc/pki/tls"
>engines: dynamic
>(letsencrypt)[email protected] [/Timstmp/Letsencrypt-Source2/letsencrypt]#
Please let me know if you have seen this and if you have any suggestions?
9 January, 2016 at 16:55Hey Tim,
I have never seen this error before, I would think some dependency is missing … maybe try :
yum install patch gcc-c++ make bzip2 autoconf automake libtool bison iconv-devel readline readline-devel zlib zlib-devel libyaml-devel libffi-devel openssl-devel
Also is the server up-to-date, with update ? (yum update)
btw my server has the same openssl version
9 January, 2016 at 17:48Thanks Svennd,
Tried the shotgun update with no success. Here is the result of your yum call:
[email protected] [/Timstmp/Letsencrypt-Source]# yum install patch gcc-c++ make bzip2 autoconf automak
e libtool bison iconv-devel readline readline-devel zlib zlib-devel libyaml-devel libffi-devel ope
nssl-devel
Loaded plugins: fastestmirror, security, tsflags, universal-hooks
Setting up Install Process
Loading mirror speeds from cached hostfile
epel/metalink | 13 kB 00:00
* EA4: 216.38.56.98
* epel: mirror.cogentco.com
* ius: iad.mirror.rackspace.com
* remi-safe: mirrors.mediatemple.net
* rpmforge: mirror.rit.edu
EA4 | 2.9 kB 00:00 …
base | 3.7 kB 00:00
epel | 4.3 kB 00:00
epel/primary_db | 5.7 MB 00:00
extras | 2.9 kB 00:00
graphviz-stable | 951 B 00:00
ius | 2.2 kB 00:00
ius/primary_db | 178 kB 00:00
justhub | 2.9 kB 00:00
remi-safe | 2.9 kB 00:00
remi-safe/primary_db | 232 kB 00:00
rpmforge | 1.9 kB 00:00
scl | 2.9 kB 00:00
updates | 3.4 kB 00:00
Package patch-2.6-6.el6.x86_64 already installed and latest version
Package gcc-c++-4.4.7-16.el6.x86_64 already installed and latest version
Package 1:make-3.81-20.el6.x86_64 already installed and latest version
Package bzip2-1.0.5-7.el6_0.x86_64 already installed and latest version
Package autoconf-2.63-5.1.el6.noarch already installed and latest version
Package automake-1.11.1-4.el6.noarch already installed and latest version
Package libtool-2.2.6-15.5.el6.x86_64 already installed and latest version
Package bison-2.4.1-5.el6.x86_64 already installed and latest version
No package iconv-devel available.
Package readline-6.0-4.el6.x86_64 already installed and latest version
Package readline-devel-6.0-4.el6.x86_64 already installed and latest version
Package zlib-1.2.3-29.el6.x86_64 already installed and latest version
Package zlib-devel-1.2.3-29.el6.x86_64 already installed and latest version
Package libyaml-devel-0.1.4-1.el6.rf.x86_64 already installed and latest version
Package libffi-devel-3.0.5-3.2.el6.x86_64 already installed and latest version
Package openssl-devel-1.0.1e-42.el6_7.2.x86_64 already installed and latest version
Nothing to do
[email protected] [/Timstmp/Letsencrypt-Source]#
Thanks for this blog post it helped me get this working on another machine with CentOS 6.7 and Thanks for getting back to me so fast. I might just upgrade this box to CentOS7 and call it solved 😉
10 January, 2016 at 03:40Hey Tim,
I didn’t expect much luck either, I haven’t seen it before, if its an option a reinstall would probably solve it … (though that not the Linux way, anything for uptime right 😛 !)
Welcome to the lets encrypt club !
Svenn
10 January, 2016 at 13:24Hi, svennd.
i’m running Azrue Linux Vm with Centos 6.
after few hours research, i got to know that there are your posts about what I’ve been looking for.
It helps me and saves time 🙂
I successfully set up ssl on my site. I love to leave a line to thank to you.
Thank you svennd.
19 January, 2016 at 08:18Happy it helped !
19 January, 2016 at 11:42HI Sven,
Worked out of the box for me. Thanks for sharing.
5 February, 2016 at 05:28Good to hear ! Congratulations! Welcome to the encrypted part of the web 😉
5 February, 2016 at 09:50[…] case you don’t have SSL yet, its free using Let’s Encrypt, and I even have a tutorial up here for Centos 6.X! Now SMTP is the tool that is used to send mails, SMTPD is the part to receive mails. So in my […]
12 February, 2016 at 15:05[…] there you could just use this tutorial for adding it to […]
13 February, 2016 at 20:29[…] 参考:https://www.svennd.be/lets-encrypt-with-centos-6/ […]
19 September, 2016 at 11:05