Set Up Let's Encrypt Certs with Nginx Server Using CertBot - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, May 12, 2020

Set Up Let's Encrypt Certs with Nginx Server Using CertBot

Certbot website has explained very well all steps for most of linux OS and situation. You wont get wrong as long as you read the steps carefully. https://certbot.eff.org/
This post is to record those steps on my Nginx web server running on CentOS 7 for my own notes:




Visit Certbot to get instruction





Instruction for Install and Run Certbot


  1. SSH into the server
    SSH into the server running your HTTP website as a user with sudo privileges.
  2. Enable EPEL repo
    You'll need to enable the EPEL (Extra Packages for Enterprise Linux) repository.
    Follow these instructions at the Fedora wiki to enable EPEL.
  3. Enable the optional channel
    If you're using RHEL or Oracle Linux, you'll also need to enable the optional channel. On EC2, RHEL users can enable the optional channel by running the following command, substituting your EC2 region for REGION in the command:
    1. yum -y install yum-utils
    2. yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
  4. Install Certbot
    Run this command on the command line on the machine to install Certbot.
    sudo yum install certbot python2-certbot-nginx
  5. Choose how you'd like to run Certbot
    • Either get and install your certificates...
      Run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step.
      sudo certbot --nginx
    • Or, just get a certificate
      If you're feeling more conservative and would like to make the changes to your Nginx configuration by hand, run this command.
      sudo certbot certonly --nginx
  6. Set up automatic renewal
    We recommend running the following line, which will add a cron job to the default crontab.
    echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
  7. Confirm that Certbot worked
    To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.
Before running Certbot to apply the certificate:
After applied certbot changes:


Notes: For install Certbot on Ubuntu system:


Unfortunately the install instruction from Certbot is not working for my Nginx docker. But I can run following two commands to get Certbot installed. 

  • apt install certbot
  • apt install python-certbot-nginx
Based on your Linux version, you might get an error : Unable to locate package python-certbot-nginx

root@80b7227d4eed:/etc/nginx/conf.d# apt install python-certbot-nginx
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package python-certbot-nginx
root@80b7227d4eed:/etc/nginx/conf.d# 
In this case , install package apt install python3-certbot-nginx

python3-certbot-nginx will be the right nginx plug-in for your situation. After this plugin installed, you can start to configure https for your site.

Output of running Certbot:

[root@centos7-docker-portainer docker2.51sec.org]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: docker2.51sec.org
2: docker2.itprosec.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for docker2.itprosec.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/docker2.itprosec.com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://docker2.itprosec.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=docker2.itprosec.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/docker2.itprosec.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/docker2.itprosec.com/privkey.pem
   Your cert will expire on 2020-08-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@centos7-docker-portainer docker2.51sec.org]#








Changes on Web Site Configuration File

Before CertBot installed certificate on docker2.51sec.org


[root@centos7-docker-portainer conf.d]# cat docker2.51sec.org.conf
server {
    listen 80;
    server_name  docker2.51sec.org;

location / {
    proxy_pass       http://127.0.0.1:9000;
    proxy_redirect             off;
    proxy_http_version         1.1;
    proxy_set_header Upgrade   $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}



After ssl certificate installed



[root@centos7-docker-portainer conf.d]# cat docker2.51sec.org.conf
server {
    server_name  docker2.51sec.org;

location / {
    proxy_pass       http://127.0.0.1:9000;
    proxy_redirect             off;
    proxy_http_version         1.1;
    proxy_set_header Upgrade   $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/docker2.51sec.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/docker2.51sec.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = docker2.51sec.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen       80;
    server_name  docker2.51sec.org;
    return 404; # managed by Certbot


}[root@centos7-docker-portainer conf.d]#




The certificates location is @ /etc/letsencrypt/:


[root@centos7-docker-portainer /]# cd /etc/letsencrypt/
[root@centos7-docker-portainer letsencrypt]# ls
accounts  archive  csr  keys  live  options-ssl-nginx.conf  renewal  renewal-hooks  ssl-dhparams.pem
[root@centos7-docker-portainer letsencrypt]# cd archive/
[root@centos7-docker-portainer archive]# ls
docker2.51sec.org
[root@centos7-docker-portainer archive]# cd docker2.51sec.org/
[root@centos7-docker-portainer docker2.51sec.org]# ls
cert1.pem  chain1.pem  fullchain1.pem  privkey1.pem
[root@centos7-docker-portainer docker2.51sec.org]# cd ../../live
[root@centos7-docker-portainer live]# ls
docker2.51sec.org  README
[root@centos7-docker-portainer live]# cd docker2.51sec.org/
[root@centos7-docker-portainer docker2.51sec.org]# ls
cert.pem  chain.pem  fullchain.pem  privkey.pem  README
[root@centos7-docker-portainer docker2.51sec.org]#





No comments:

Post a Comment