LetsEncrypt certificate with Centreon

From Fyzix
Jump to: navigation, search

Assuming you're using Centos 7 and Centreon is already installed.

Install Prerequisites + certbot

yum install epel-release yum-utils certbot mod_ssl openssl

Script to create LetsEncrypt certificate using certbot

/usr/sbin/runcertbot

#!/bin/bash
systemctl stop httpd.service
certbot certonly --rsa-key-size=4096 --standalone -d centreon.yourdomain.com
systemctl start httpd.service

Configure Apache

httpd.conf

Locate the Listen section, and add Listen 443

/etc/httpd/conf/httpd.conf

#Listen 12.34.56.78:80
Listen 80
Listen 443

ssl.conf

Modify centreon.yourdomain.com with your actual domain.

/etc/httpd/conf.d/ssl.conf

<VirtualHost *:80>
ServerName centreon.yourdomain.com
ServerAlias centreon.yourdomain.com
Redirect permanent / https://centreon.yourdomain.com
</VirtualHost>

<VirtualHost *:443>
ServerName centreon.yourdomain.com
ServerAlias centreon.yourdomain.com

<Directory "/usr/share/centreon/www">
        Options Indexes
        AllowOverride AuthConfig Options
        Order allow,deny
        Allow from all
        Require all granted
</Directory>

#CustomLog /var/log/httpd/centreon.yourdomain.com-access.log combined
#ErrorLog /var/log/httpd/centreon.yourdomain.com-error.log
#LogLevel warn

SSLEngine on
SSLCertificateFile    /etc/letsencrypt/live/centreon.yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/centreon.yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/centreon.yourdomain.com/fullchain.pem

<FilesMatch "\.(cgi|shtml|phtml|php)$">
   SSLOptions +StdEnvVars
</FilesMatch>

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off

Restart Apache

systemctl restart httpd.service

Add cronjob to renew certificate

As root,

crontab -e

Contents

30 2 * * * certbot renew >> /var/log/letsencrypt-renew.log