ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Setting up LetsEncrypt on a CentOS 7 NginX proxy

    Scheduled Pinned Locked Moved IT Discussion
    lets encryptcentos 7nginxproxysslssl certificatesencryptionhow toreal instructions
    13 Posts 5 Posters 12.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch
      last edited by JaredBusch

      I ran into an error almost immediately.
      ./letsencrypt-auto --help resulted in this.

      Complete!
      Creating virtual environment...
      Updating letsencrypt and virtual environment dependencies...../root/.local/share/letsencrypt/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
        InsecurePlatformWarning
      ./root/.local/share/letsencrypt/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
        InsecurePlatformWarning
      .
      

      Searching their website did not turnup anythin specific about this, but I did find a thread about Python 2.7 and Centos 6. Comparing the workaround for that (prior to CentOS 6 being supported again). I noticed that not all the Python pieces that the workaround noted were install on my box, python-tools and python-pip.

      I reverted my VM and then added those to the yum install for git. Now Let's Encrypt build correctly.

      [root@nginxproxy letsencrypt]# ./letsencrypt-auto --help
      Updating letsencrypt and virtual environment dependencies.......
      Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --help
      
        letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...
      
      The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
      default, it will attempt to use a webserver both for obtaining and installing
      the cert. Major SUBCOMMANDS are:
      
        (default) run        Obtain & install a cert in your current webserver
        certonly             Obtain cert, but do not install it (aka "auth")
        install              Install a previously obtained cert in a server
        revoke               Revoke a previously obtained certificate
        rollback             Rollback server configuration changes made during install
        config_changes       Show changes made to server config during installation
        plugins              Display information about installed plugins
      
      Choice of server plugins for obtaining and installing cert:
      
        --apache          Use the Apache plugin for authentication & installation
        --standalone      Run a standalone webserver for authentication
        (nginx support is experimental, buggy, and not installed by default)
        --webroot         Place files in a server's webroot folder for authentication
      
      OR use different plugins to obtain (authenticate) the cert and then install it:
      
        --authenticator standalone --installer apache
      
      More detailed help:
      
        -h, --help [topic]    print this message, or detailed help on a topic;
      						the available topics are:
      
         all, automation, paths, security, testing, or any of the subcommands or
         plugins (certonly, install, nginx, apache, standalone, webroot, etc)
      
      [root@nginxproxy letsencrypt]#
      
      1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch
        last edited by JaredBusch

        If you use a Free CloudFlare account and have the SSL features enabled, you must disable them prior to starting this because CloudFlare is basically acting as a MITM and breaking that SSL validation chain.

        Prior to Let's Encrypt this was actually a really useful tool. I have almost all sites setup with CloudFlare and the SSL enabled in "Full" mode. This let my visitors get a trusted SSL and CloudFlare did not care what SSL I had on the backend as long as it was an expired certificate. For personal stuff I just used Self Signed.

        Anyway, Let's Encrypt (rightly) does not accept that when validating.

        Updating letsencrypt and virtual environment dependencies.......
        Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --email [email protected] --agree-tos -d jaredbusch.com -d www.jaredbusch.com
        Failed authorization procedure. jaredbusch.com (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during DV :: Failed to connect to host for DVSNI challenge
        
        IMPORTANT NOTES:
         - The following 'urn:acme:error:tls' errors were reported by the
           server:
        
           Domains: jaredbusch.com
           Error: The server experienced a TLS error during DV
        [root@nginxproxy letsencrypt]#
        
        1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch
          last edited by JaredBusch

          Here is my /etc/nginx/conf.d/jaredbusch.com.conf in whole for reference.

          server {
          	client_max_body_size 40M;
          	listen 443 ssl;
          	server_name www.jaredbusch.com jaredbusch.com;
          	ssl          on;
          	ssl_certificate /etc/letsencrypt/live/jaredbusch.com/fullchain.pem;
          	ssl_certificate_key /etc/letsencrypt/live/jaredbusch.com/privkey.pem;
          	ssl_stapling on;
          	ssl_stapling_verify on;
          	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
          
          	location / {
          		proxy_set_header X-Real-IP $remote_addr;
          		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          		proxy_set_header Host $http_host;
          		proxy_set_header X-NginX-Proxy true;
          		proxy_pass https://10.254.0.101:443;
          		proxy_redirect off;
          	}
          }
          server {
          	client_max_body_size 40M;
          	listen 80;
          	server_name www.jaredbusch.com jaredbusch.com;
          
          	location / {
          		proxy_set_header X-Real-IP $remote_addr;
          		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          		proxy_set_header Host $http_host;
          		proxy_set_header X-NginX-Proxy true;
          		proxy_pass http://10.254.0.101:80;
          		proxy_redirect off;
          	}
          }
          
          1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch
            last edited by JaredBusch

            Now, I just need to get these certificates shipped off to the server behind. Why? Because while I know I do not have to encrypt after the proxy, I still want it all 100% encrypted.

            1 Reply Last reply Reply Quote 1
            • A
              Alex Sage
              last edited by

              Are you still renewing by hand?

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • A
                Alex Sage
                last edited by

                Any updates to this?

                JaredBuschJ 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Alex Sage
                  last edited by

                  @aaronstuder said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

                  Are you still renewing by hand?

                  I am at least.

                  1 Reply Last reply Reply Quote 0
                  • dafyreD
                    dafyre
                    last edited by

                    I'm using cron with the old letsencrypt script. I haven't migrated over to certbot yet.

                    scottalanmillerS 1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @dafyre
                      last edited by

                      @dafyre said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

                      I'm using cron with the old letsencrypt script. I haven't migrated over to certbot yet.

                      Same.

                      1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch @Alex Sage
                        last edited by

                        @aaronstuder said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

                        Any updates to this?

                        Use Certbot never this method. keep your life simpler.

                        travisdh1T 1 Reply Last reply Reply Quote 0
                        • travisdh1T
                          travisdh1 @JaredBusch
                          last edited by

                          @JaredBusch said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

                          @aaronstuder said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

                          Any updates to this?

                          Use Certbot never this method. keep your life simpler.

                          Yeah. If the old way is working, that should keep working. However, certbot is easier to use.

                          JaredBuschJ 1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @travisdh1
                            last edited by

                            @travisdh1 said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

                            @JaredBusch said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

                            @aaronstuder said in Setting up LetsEncrypt on a CentOS 7 NginX proxy:

                            Any updates to this?

                            Use Certbot never this method. keep your life simpler.

                            Yeah. If the old way is working, that should keep working. However, certbot is easier to use.

                            When my system came up for renew after certbot was out, I installed certbot and renewed that way. everything is in the same pace. nothing had to be changed in the config files.

                            1 Reply Last reply Reply Quote 2
                            • 1 / 1
                            • First post
                              Last post