Using LetsEncrypt SSL in Jelastic

Question

How do I set up Let's Encrypt SSL in a Jelastic environment?

Answer 1

For now, Letsencrypt SSL can be installed on Apache web server in Jelastic cloud. To perform next steps you have to login as root.

We need to install two dependencies on our instance before the installation of the Letsencrypt client and generating of the SSL certificate.

1. Install EPEL (Extra Packages for Enterprise Linux) repository:

yum -y install epel-release git bc

rpm -ivh https://downloads.hpdd.intel.com/public/e2fsprogs/1.42.12.wc1/el7/RPMS/x86_64/libcom_err-devel-1.42.12.wc1-4.el7.centos.x86_64.rpm

2. We will clone the Let’s Encrypt repository under /opt, which is a standard directory for placing third-party software on Unix systems: git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt This will create a local copy of the official Let’s Encrypt repository under /opt/letsencrypt.

Generating the SSL Certificate using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.

3. Access the letsencrypt directory:

cd /opt/letsencrypt ;

4. To execute the interactive installation and obtain a certificate that covers only a single domain, run the letsencrypt-auto command with:

./letsencrypt-auto --apache -d example.com

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:

./letsencrypt-auto certonly -d yourdomain.com -d www.yourdomain.com --email youremail@dot.com --webroot -w /var/www/webroot/ROOT --agree-tos

5. Uncomment "LoadModule ssl_module modules/mod_ssl.so" in the /etc/httpd/conf.d/modules.conf file
6. Edit /etc/httpd/conf.d/ssl.conf file:

Listen *:443 <VirtualHost *:443> DocumentRoot /var/www/webroot/ROOT ErrorLog /var/log/httpd/ssl-error.log CustomLog /var/log/httpd/ssl-access.log combined

    SSLEngine on


    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SSLHonorCipherOrder     on

    SSLOptions +StrictRequire

    # Add vhost name to log entries:
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
    LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common


    SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem

`

If you provided multiple domain names when first installing the certificate, you’ll need to pass the same list of domains again for the renewal command, otherwise, the Let’s Encrypt client will generate a new certificate instead of renewing the existing one.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will automatically handle the renewal requests for you.

To facilitate this process, we will use a shell script that will verify the certificate expiration date for the provided domain and request a renewal when the expiration is less than 30 days away. The script will be scheduled to run once a week. This way, even if a cron job fails, there’s a 30-day window to try again every week.

7. Download the script and make it executable. Feel free to review the contents of the script before downloading it.

curl -L -o /usr/local/sbin/le-renew http://do.co/le-renew-centos

chmod +x /usr/local/sbin/le-renew

The le-renew script takes as an argument the base domain name associated with the certificate you want to renew. You can check which domain was used by Let’s Encrypt as your base domain name by looking at the contents inside /etc/letsencrypt/live, which is the directory that holds the certificates generated by the client.

8. We will edit the crontab to create a new job that will run this command every week. To edit the crontab for the root user, run:

sudo crontab -e

Include the following content, all in one line:

0 0 * * * /usr/local/sbin/le-renew yourdomain.com www.yourdomain.com >> /var/log/le-renew.log

9. Save and exit. This will create a new cron job that will execute the le-renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log.

If you don`t have root permissions, do not hesitate to contact us or support team of the chosen hosting provider (click "Help" > "Contact Support" on the top right corner of Jelastic dashboard).

Good luck and have a nice day.