Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save ArchTaqi/e0f5281ac907156afcf997bf34cb2266 to your computer and use it in GitHub Desktop.
Save ArchTaqi/e0f5281ac907156afcf997bf34cb2266 to your computer and use it in GitHub Desktop.
Example of how to setup Let's Encrypt on RHEL / CentOS and automate certificate rewnewal
#!/bin/bash
[email protected]
DOMAINS=example.com,www.example.com,foo.example.com,example.org.example.net,www.example.org,www.example.net
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt/
mkdir -p /var/lib/letsencrypt/global-webroot
# Setup the global alias
echo "Alias /.well-known/acme-challenge /var/lib/letsencrypt/global-webroot/.well-known/acme-challenge" >> /etc/httpd/conf/httpd.conf
apachectl configtest && apachectl graceful
# Create the cron job
cat > /etc/cron.monthly/renew-letsencrypt.sh <<End-of-message
#!/bin/bash
DOMAINS=$DOMAINS
/root/.local/share/letsencrypt/bin/letsencrypt certonly --agree-tos --renew-by-default --webroot --webroot-path /var/lib/letsencrypt/global-webroot --domains \$DOMAINS && /usr/sbin/apachectl graceful
# On CentOS/RHEL 6 running Python 2.6 add the "--debug" argument
End-of-message
chmod 755 /etc/cron.monthly/renew-letsencrypt.sh
# Install letsencrypt by running it the first time and generate the cert
./letsencrypt-auto certonly --agree-tos --email $EMAIL --renew-by-default --webroot --webroot-path /var/lib/letsencrypt/global-webroot --domains $DOMAINS
# On CentOS/RHEL 6 running Python 2.6 add the "--debug" argument
SSLEngine on
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Header always set Strict-Transport-Security "max-age=15768000"
<VirtualHost *:443>
# This VirtualHost shows how to bypass the reverse proxy with ProxyPassMatch
SSLEngine on
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Header always set Strict-Transport-Security "max-age=15768000"
DocumentRoot /var/www/html
ServerName example.com
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Add this to allow Let's Encrypt to validate control of the site
ProxyPassMatch ^/\.well-known/acme-challenge/.* !
ProxyPass / http://localhost:8080/ connectiontimeout=300 timeout=300
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
<VirtualHost *:443>
# This VirtualHost shows how to bypass the reverse proxy with RewriteRule
SSLEngine on
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Header always set Strict-Transport-Security "max-age=15768000"
DocumentRoot /var/www/html
ServerName example.com
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Proxy balancer://myapp>
BalancerMember http://127.0.0.1:8080
</Proxy>
# Add this to allow Let's Encrypt to validate control of the site
RewriteRule ^/\.well-known/acme-challenge/.*$ - [last]
RewriteRule ^/(.*)$ balancer://myapp%{REQUEST_URI} [P,QSA,L]
</VirtualHost>
#!/bin/bash
DOMAINS=example.com,www.example.com,foo.example.com,example.org.example.net,www.example.org,www.example.net
/root/.local/share/letsencrypt/bin/letsencrypt certonly --agree-tos --renew-by-default --webroot --webroot-path /var/lib/letsencrypt/global-webroot --domains $DOMAINS && /usr/sbin/apachectl graceful
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment