What is Let’s Encrypt:
We need our websites to be secured and for securing our websites, we need to enable HTTPS by getting a SSL Certificate from certificate authority. Let’s Encrypt is a Certificate Authority which offers free SSL Certificates which is as secured as the present paid certificates.
Benefits:
- Free: It is open-source and free of cost for life time.
- Automatic: It can be set for auto renewal through cron jobs. Each certificate is valid for 90days.
- Simple: It has a very simple script.
- Secured: It is as secured as the present paid certificates.
Points to be covered:
- Let’s Encrypt with Apache
- Let’s Encrypt with Tomcat
Let’s Encrypt with Apache
Basic requirement:
To issue a certificate through Let’s Encrypt you should have control over the domain associated with server.
We need git installed on server.
Install git with following command:
yum install git
Installation
- Install Let’s Encrypt Online:
Use the following command
curl https://get.acme.sh |sh
OR
wget -O - https://get.acme.sh |sh
- Install Let’s Encrypt from GIT
Use the following command
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install
Issue a Certificate for Apache/Tomacat
Single Domain
acme.sh --issue -d abc.com -w /home/root/abc.com
Multiple Domains in same cert
acme.sh --issue -d abc.com -d www.abc.com -d cp.abc.com –w /home/root/abc.com
Note:
- The parameter /home/root/abc.com is the web root folder. You should have write access to this folder.
- abc.comis the main domain. You must have at least one domain.
- Bind all the domains to the same web root directory : /home/root/abc.com
- Generated/issued certs will be placed in ~/.acme.sh/abc.com/
Install the issued Certificate on Apache
After issuing the certificate you must install the certificate or copy it to a particular path.
Please note: Do not use the certificates in ~/.acme.sh/folder. Best practice is to copy the certificates files and provide that path.
To install the certificate use the following command
acme.sh --installcert -d example.com \
--certpath /path/to/certfile/in/apache/cert.pem \
--keypath /path/to/keyfile/in/apache/key.pem \
--fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "service apache2 force-reload"
Open ssl.conf file and add the path to the file
vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile path/to/certfile/in/apache/cert.cer
SSLCertificateKeyFile path/to/keyfile/in/apache/key.pem
SSLCertificateChainFile /path/to/fullchain/certfile/apache/fullchain.pem
SSLCACertificateFile path/to/certfile/in/apache/ca.cer
Reload apache server
servicehttpd reload
Let’s Encrypt with Tomcat
For running Tomcat7 to run on HTTPS we need to provide it with certificate and entire chain certificate. The connection is supposed to be private and we need a private, corresponding to the certificate to decrypt the client generated random key. This client generated random key is encrypted with the server’s public key (which is part of the certificate) by the client, so it can be safely transmitted to your server. We will do is to put the chain certificate and the private key all together inside one Java Key Store (JKS).
There are only two steps required to get our fullchain.pem and privkey.pem inside a JKS.
Enter the following command:
$ openssl pkcs12 -export -in fullchain.pem -inkeyprivkey.pem -out fullchain_and_key.p12 -name tomcat
You will be asked to enter a password after the above command. Please remember the password as it is because will be need it in the next step.
Now we have our keystore, we can use JAVA’s keytool to generate a JKS. Use the below command
$ keytool -importkeystore -deststorepassyourJKSpass -destkeypassyourKeyPass –destkeystoreKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass yourPKCS12pass -alias tomcat
Configure Tomcat for HTTPS
Open the server.xml file
vim /etc/tomcat7/server.xml
Find the block starting with <Connector port="8443"
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" URIEncoding="UTF-8" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/KeyStore.jks" keystorePass="yourJKSpass" keyAlias="tomcat" keyPass="yourKeyPass"/>
Restart your tomcat
service tomcat7 restart
Check your site
You can check your site by hitting
https://yourdomain:443