[root@centos7 ~] yum install certbot python2-certbot-apache mod_sslUm vom LetsEncrypt zusätzlich der Zertifikate, auch eine SSL-Konfiguration für den Httpd zu bekommen muss zunächst ein VirtualHost für die domain exisitieren bzw. angelegt werden.
[root@centos7 ~] nano /etc/httpd/conf.d/api-v1-example.de.confInhalt:
<VirtualHost *:80>
ServerName api-v1-example.de
DocumentRoot /var/www/psm/api-v1-example.de/public_html
</VirtualHost>Certbot ausführen:
[root@centos7 ~] certbot --apache -d api-v1-example.deOutput:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Created an SSL vhost at /etc/httpd/conf.d/api-v1-example.de-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/api-v1-example.de-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/api-v1-example.de.conf to ssl vhost in /etc/httpd/conf.d/api-v1-example.de-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://api-v1-example.de
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/api-v1-example.de/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/api-v1-example.de/privkey.pem
Your cert will expire on 2021-01-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Lets Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leCertbot hat die VirtualHost Datei api-v1-example.de.conf angepasst
und einen permanenten redirect von httpauf https eingerichtet.
[root@centos7 ~] cat /etc/httpd/conf.d/api-v1-example.de.confInhalt:
<VirtualHost *:80>
ServerName api-v1-example.de
DocumentRoot /var/www/psm/api-v1-example.de/public_html
RewriteEngine on
RewriteCond %{SERVER_NAME} = api-v1-example.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>Die Konfiguration für https hat certbot unter api-v1-example.de-le-ssl.conf erstellt.
[root@centos7 ~] cat /etc/httpd/conf.d/api-v1-example.de-le-ssl.confInhalt:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/api-v1-example.de
ServerName api-v1-example.de
SSLCertificateFile /etc/letsencrypt/live/api-v1-example.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/api-v1-example.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/api-v1-example.de/chain.pem
</VirtualHost>
</IfModule>Port 443 für SSL freigeben:
[root@centos7 ~] firewall-cmd --zone=public --add-service=httpsSeite testen: https://api-v1-example.de
Für den tomcat können die von LetsEncrypt ausgestellten Zertifikatsdateien kopiert werden.
[root@centos7 ~] cd /etc/letsencrypt/live/api-v1-example.de
[root@centos7 ~] cp *.pem /opt/tomcat/latest/conf
[root@centos7 ~] chown tomcat:tomcat *.pemEinen Connector in Tomcats server.xml mit den Zertifikaten konfigurieren
[root@centos7 ~] nano /opt/tomcat/latest/conf/server.xmlInhalt:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeyFile="conf/privkey.pem"
certificateFile="conf/cert.pem"
certificateChainFile="conf/chain.pem" />
</SSLHostConfig>
</Connector>