Install Let’s Encrypt SSL Certificate on CentOS 8

Hello,
I want to install Let’s Encrypt on CentOS 8 via https://www.tecmint.com/secure-apache-with-lets-encrypt-ssl-certificate-on-centos-8/ tutorial.
I have some questions:

1- Is it an OK tutorial?
2- Is my configuration OK?

<VirtualHost *:80>
ServerAdmin root@localhost
ServerAlias www.mymy.net
DocumentRoot /var/www/wordpress
<Directory "/var/www/wordpress">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
</VirtualHost>

<VirtualHost *:443>
SSLEngine On
ServerName mymy.net
ServerAlias www.mymy.net
DocumentRoot /var/www/wordpress
<Directory "/var/www/wordpress">
  Options Indexes FollowSymLinks
 AllowOverride All
</Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log combined
</VirtualHost>

If yes, then why I got below error:

# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.

And:

# journalctl -xe
Aug 25 12:00:46 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:46 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:46 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:46 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:47 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:48 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:48 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:48 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:49 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:50 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>
Aug 25 12:00:50 localhost.localdomain kernel: FINAL_REJECT: IN=ens192 OUT= MAC=>

How can I solve it?

Thank you.

At a quick glance, there seem to be several problems with it:

  • It’s using certbot-auto rather than the EPEL package of certbot
  • It has you create the port 443 virtual host before you have the certificate
  • After certbot installs the cert, it has you manually specify the cert again in the config files
  • And for heaven’s sake, it has you use vi as a text editor

That guide seems determined to have you do things the hard way, and doesn’t do you the corresponding favor of explaining why. Now, of these issues, the first isn’t the cause of your problem, but the second could be. The output of systemctl status httpd could give you some more information about what’s going on. But personally, I’d ditch this guide and start with the official docs.

2 Likes

Thank you.
What is the problem of “certbot-auto” ?
In the document, the “sudo certbot --apache” is an automated way and I want to know, can it detect my Apache config file (I created a separate file under the conf.d directory) or write configuration into “httpd.conf” file?

The purpose of certbot-auto is to install certbot on distros which don’t have an existing package. CentOS does have such a package, and it’s reasonably up-to-date. Let yum do its thing.

It should.

I believe it writes its own .conf file rather than altering httpd.conf.

Thank you so much for your help.
It configured the Apache automatically, but some problems exist:

I edited the “/etc/hostname” file and added below line:

127.0.0.1       www.mydomain.net    localhost

But problem not solved. How can I solve the “Alternative names” problem?

Thank you.

I think, it is because of:

<Virtualhost xx.xx.xx.xx::80>
[…]
ServerName www.example.com

I changed the “Servername” from “mynet.net” to “www.mynet.net” but my site take down :frowning:
How can I solve it?

No, it really didn’t. Apache is using a self-signed cert, not the Let’s Encrypt cert. You’re going to need to track down the reason for this in the Apache config files.

Why on earth would you do that?

Thank you for your reply.
The certbot created some config files under “/etc/httpd/conf.d” directory and automatically add some lines to my Virtual Host config file.
The Apache config file is as below:

ServerRoot "/etc/httpd"
ServerName www.mywebsite.net

Listen 80

Include conf.modules.d/*.conf


User apache
Group apache

ServerAdmin root@localhost

<Directory />
    AllowOverride none
    Require all denied
</Directory>


DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>


<Directory "/var/www/html">
   Options FollowSymLinks
   AllowOverride None
   Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>

<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"

LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>

   ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>

    TypesConfig /etc/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

IncludeOptional conf.d/*.conf


#Security
TraceEnable off
ServerSignature Off
ServerTokens Prod
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off
TimeOut 60
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
ErrorDocument 500 "Oh sorry dear."

FileETag MTime
KeepAlive On
MaxKeepAliveRequests 100
MaxConnectionsPerChild 1000
UseCanonicalName Off
LimitInternalRecursion 5
LimitRequestFields 500
AcceptPathInfo Off
MaxRanges 100
KeepAliveTimeout 4


# Modules
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule headers_module modules/mod_headers.so
RequestReadTimeout header=20-600,MinRate=500 body=20,MinRate=500

What is my config problem?
The “MISMATCH” problem is because of below file:

$ cat /etc/httpd/conf.d/wp-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root@localhost
ServerName mywebsite.net
ServerAlias www.mywebsite.net
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
DocumentRoot /var/www/wordpress
<Directory "/var/www/wordpress">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mywebsite.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mywebsite.net/privkey.pem

When I change “ServerName” then Apache can’t start.

# cat ssl_error_log
[Tue Sep 01 23:23:12.171835 2020] [ssl:warn] [pid 349886:tid 140135623199040] AH01909: www.mywebsite.net:443:0 server certificate does NOT include an ID which matches the server name
[Tue Sep 01 23:23:12.228405 2020] [ssl:warn] [pid 349886:tid 140135623199040] AH01909: www.mywebsite.net:443:0 server certificate does NOT include an ID which matches the server name

In the below image, “Key Exchange” and “Cipher Strength” are not 100. How can I improve them?

Those two lines from the log are warnings and wouldn’t prevent Apache from starting.

This would imply you’ve got everything properly working now… In the same post you’re claiming your Apache won’t start… I’m confused… Everything is working OK now?

Also, getting a 100 % score on SSLLabs has been discussed earlier. Please use the Search feature to find such threads.

Thank you for your reply.
When I change “ServerName mywebsite.net” to “ServerName www.mywebsite.net” then Apache is working, but I can’t browse my site. It show me an error about the https certificate. I want to change it because of the “MISMATCH” error:


Should I generate a new key?

No? Why?

You also have a ServerAlias for your www subdomain. So changing ServerName to that same hostname doesn’t actually do anything usefull. You should keep it the way it was.

It’s very frustrating you’re redacting your hostname. Now we can’t really debug your issue.

I’m betting you forgot a hostname in your certificate, but I can’t verify that.

My orginal “hostname” was:

localhost.localdomain

And I changed it to:

127.0.0.1       www.mydomain.net    localhost

Is it bad?
Current configuration is:

$ hostnamectl
Static hostname: 127.0.0.1www.mydomain.netlocalhost
Transient hostname: localhost.localdomain
Icon name: computer-vm
Chassis: vm
Machine ID: c19908237e484187b962fc6f87384258
Boot ID: 2aa08bf512784786b249cb81fc4fd82b
Operating System: CentOS Linux 8 (Core)
CPE OS Name: cpe:/o:centos:centos:8
Kernel: Linux 4.18.0-193.14.2.el8_2.x86_64
Architecture: x86-64
$ hostname
127.0.0.1www.mydomain.netlocalhost

Is it because of hostname?
What should I my “ServerName” value?

The hostname (or hostnames, if you’ve used subdomains too) you’ve used to get your Let’s Encrypt certificate. We’re talking about website hostnames, most often used in virtual hosts in webservers. Although in “older” times the hostname of a service was equal to the hostname of the machine, in modern times those are often not equivalent any longer.

According to https://www.tecmint.com/wp-content/uploads/2020/01/Lets-Encrypt-SSL-Certification-Installation-on-Domain.jpg, in the final step I just hit ENTER.
It showed me:
1: mydomain.net
2: www.mydomain.net
I just hit Enter key.

I guess, it could help:

$ ls /etc/letsencrypt/live/
mydomain.net/ README

I changed the “hostname” and “hosts” files as below:

$ cat /etc/hostname
#localhost.localdomain
mydomain.net

And:

$ cat /etc/hosts
#127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1       www.mydomain.net   mydomain.net

I’m pretty sure it didn’t actually say “mydomain.net” but your actual domain name. That is what I meant with hostname. I still have no idea what you’re trying to accomplish by editing /etc/hostname and /etc/hosts

Hello,
I’m using CentOS 8 with Apache. According to https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-apache2-4-read-warnings/2436, I did below steps:

# openssl dhparam -out /etc/ssl/private/dhparams.pem 4096

Then copy that file:

# cp /etc/ssl/private/dhparams.pem /etc/letsencrypt/archive/mydomain.net/

Then, added below lines into “httpd.conf”:

SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"
SSLCertificateFile "/etc/letsencrypt/archive/mydomain.net/dhparams.pem"

After it, I did below command:

# openssl x509 -noout -in /etc/letsencrypt/live/mydomain.net/privkey.pem -pubkey

But I got below error:

unable to load certificate
140563944699712:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

Why? Which step is wrong?

Thank you.

You didn’t read the thread correctly. You’re inputting a private key, while the x509 program expects a certificate, just like the error message said.

Also, no offence, but if you don’t really know what you’re doing, do you think its wise to do it? For example, Public Key Pinning can leave your site unreachable if the pinned key has been changed by another. And I don’t think PKP is necessary for the 100 % score…

Also, why do you want a 100 % score anyway? You realise this would leave your site unaccessible for older clients?

And another note: “regular” Diffie-Hellman key exchange is very, very slow. It’s better to choose only elliptic curve Diffie-Hellman. Or if you really require older DH, use one of the safer pre-defined groups from RFC 7919. You can read more about it on an older version of the Mozilla Server Side TLS guide.

3 Likes

You do realize that post is almost five years old - things have changed since then.
And it wasn’t published by LetsEncrypt - it was posted by someone just like you.

OK.
How can I use the pre-defined DH groups ffdhe2048, ffdhe3072 or ffdhe4096?
100% score is not mandatory?
What is the problem of below configuration?


SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
SSLHonorCipherOrder on
SSLCompression          off
SSLSessionTickets       off

Yes. it is not my real domain name.
My problem is because of “hostname” or “hosts” file?