LetsEncrypt certificate with Centreon
Jump to navigation
Jump to search
Assuming you're using Centos 7 and Centreon is already installed.
Contents
Install Prerequisites + certbot
yum install epel-release yum-utils certbot mod_ssl openssl
Script to create LetsEncrypt certificate using certbot
/usr/sbin/runcertbot
#!/bin/bash systemctl stop httpd.service certbot certonly --rsa-key-size=4096 --standalone -d centreon.yourdomain.com systemctl start httpd.service
Configure Apache
httpd.conf
Locate the Listen section, and add Listen 443
/etc/httpd/conf/httpd.conf
#Listen 12.34.56.78:80 Listen 80 Listen 443
ssl.conf
Modify centreon.yourdomain.com with your actual domain.
/etc/httpd/conf.d/ssl.conf
<VirtualHost *:80>
ServerName centreon.yourdomain.com
ServerAlias centreon.yourdomain.com
Redirect permanent / https://centreon.yourdomain.com
</VirtualHost>
<VirtualHost *:443>
ServerName centreon.yourdomain.com
ServerAlias centreon.yourdomain.com
<Directory "/usr/share/centreon/www">
Options Indexes
AllowOverride AuthConfig Options
Order allow,deny
Allow from all
Require all granted
</Directory>
#CustomLog /var/log/httpd/centreon.yourdomain.com-access.log combined
#ErrorLog /var/log/httpd/centreon.yourdomain.com-error.log
#LogLevel warn
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/centreon.yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/centreon.yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/centreon.yourdomain.com/fullchain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off
Restart Apache
systemctl restart httpd.service
Add cronjob to renew certificate
As root,
crontab -e
Contents
30 2 * * * certbot renew >> /var/log/letsencrypt-renew.log
