Lets Encrypt

LetsEncrypt
On CentOS 7, enable the optional channel for the EPEL repository:

yum -y install yum-utils
yum -y install epel-release

Then install certbot:

yum install certbot

Pound as SSL proxy
Edit /usr/local/etc/pound.cfg to redirect Certbot verifications:

Service
    URL      "^/\.well-known.*?$"
    BackEnd
      Address 127.0.0.1
      Port    8080
    End
  End

Restart Pound (svc -t /service/pound and test getting a certificate:

certbot certonly --dry-run -d test.domain.com --webroot -w /var/websites/private/htdocs

If doesn't work, fix Pound config, then get a certificate:

certbot certonly -d test.domain.com --webroot -w /var/websites/private/htdocs

Pound needs the cert components in one .pem file:

cd /etc/letsencrypt/live/test.domain.com
cat privkey.pem fullchain.pem > combined-for-pound.pem
chmod 400 combined-for-pound.pem

Create the HTTPS config for Pound:

ListenHTTPS
  Address xxx.xxx.xxx.xxx
  Port    443
  Disable SSLv2
  Disable SSLv3

  Cert    "/etc/letsencrypt/live/test.domain.com/combined-for-pound.pem"

  SSLHonorCipherOrder 1
  Ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"

  Service
    HeadRequire "Host:.*test.domain.com.*"
    BackEnd
      Address 127.0.0.1
      Port    8080
    End
  End
End

Create a renewal-hook in /etc/letsencrypt/renewal-hooks/deploy/combine-certs-for-pound.sh to automatically combine the certifcate files for Pound:

#!/bin/sh

privkey="$RENEWED_LINEAGE/privkey.pem"
fullchain="$RENEWED_LINEAGE/fullchain.pem"
combined="$RENEWED_LINEAGE/combined-for-pound.pem"

cat "$privkey" "$fullchain" > "$combined"
chmod 400 $combined
svc -t /service/pound

Make it executable:

chmod ugo+x /etc/letsencrypt/renewal-hooks/deploy/combine-certs-for-pound.sh

Recent Updates

  • 11 months 3 weeks ago
  • 11 months 3 weeks ago
    Removed original versions of ucspi-tcp and ucspi-ssl and replaced them with upgraded versions. The old ones were failing PCI compliance tests by Security Metrics. ucspi-ssl also had issues installing on CentOS 7 - new version installed without issues.
  • 11 months 3 weeks ago
    1.3.7 update
  • 11 months 3 weeks ago
  • 1 year 1 hour ago
    MariaDB