LetsEncrypt certificate with Centreon

From Fyzix
Jump to: navigation, search

Assuming you're using Centos 7 and Centreon is already installed.

Install Prerequisites + certbot

yum install epel-release yum-utils certbot mod_ssl openssl

Script to create LetsEncrypt certificate using certbot


systemctl stop httpd.service
certbot certonly --rsa-key-size=4096 --standalone -d centreon.yourdomain.com
systemctl start httpd.service

Configure Apache


Locate the Listen section, and add Listen 443


Listen 80
Listen 443


Modify centreon.yourdomain.com with your actual domain.


<VirtualHost *:80>
ServerName centreon.yourdomain.com
ServerAlias centreon.yourdomain.com
Redirect permanent / https://centreon.yourdomain.com

<VirtualHost *:443>
ServerName centreon.yourdomain.com
ServerAlias centreon.yourdomain.com

<Directory "/usr/share/centreon/www">
        Options Indexes
        AllowOverride AuthConfig Options
        Order allow,deny
        Allow from all
        Require all granted

#CustomLog /var/log/httpd/centreon.yourdomain.com-access.log combined
#ErrorLog /var/log/httpd/centreon.yourdomain.com-error.log
#LogLevel warn

SSLEngine on
SSLCertificateFile    /etc/letsencrypt/live/centreon.yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/centreon.yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/centreon.yourdomain.com/fullchain.pem

<FilesMatch "\.(cgi|shtml|phtml|php)$">
   SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off

Restart Apache

systemctl restart httpd.service

Add cronjob to renew certificate

As root,

crontab -e


30 2 * * * certbot renew >> /var/log/letsencrypt-renew.log