Certificate Services Support

User-added image
Fedora 24 with Apache 2.4.23

Requirements:
  • Fedora 24 installed

Part 1 of 3: Install certbot

1. Go to https://certbot.eff.org/

2. Select “Apache” and “Fedora 23+”.

3. For root user, just run “dnf install python-certbot-apache”.
   For regular users, please refer to http://fedoraproject.org/wiki/Configuring_Sudo on how to configure sudo access in order to run below commands.

User-added image
4. After installation of certbot, run below commands to check the version number (It should be 0.8.1):


certbot -auto --version


Part 2 of 3: Downloading and Installing Apache

1.  Download Apache 2.4.23: http://httpd.apache.org/

2. Download Apache Portable Runtime 1.5.2 and Apache Portable Runtime Utility 1.5.4: http://apr.apache.org/ 
Note: Download the latest versions of both APR and APR-Util from Apache APR, unpack them into ./srclib/apr and ./srclib/apr-util (be sure the domain names do not have version numbers; for example, the APR distribution must be under ./srclib/apr/)

After run below commands in the sequence shown:

./configure --with-included-apr
make
make install
./configure --with-included-apr-util
make
make install


4. Install Apache with all default modules, running the commands in the sequence shown below:

./configure --enable-ssl --enable-so
make
make install

Note: By default the above installs Apache under /usr/local/apache2

User-added image

Part 3 of 3: Enable VirtualHost and SSL

1. Modify the httpd-vhosts.conf  file by adding the below to in a new line inside the file using a nano editor or vi:

<VirtualHost *:80> Enclose all the apache configuration parameters for each and every virtual host between these VirtualHost tags. Any apache directives can be used within the virtualhost container. </VirtualHost>

In the following example, we are setting up virtual host for www.testcertificates.com listening on the same port 80.

When you go to www.testcertificates.com, the files under /usr/local/apache2/docs/www.testcertificates.com will be served by Apache; and the access_log and error_log for this site will go under /usr/local/apache2/logs/www.testcertificates.com

User-added image

2. Create an index.html on /usr/local/apache2/docs/<your domain name>

User-added image

3. Type the command below:


chown –R apache:apache /usr/local/apache2/docs/<your domain name>

The outcome of typing the chown command will produce something like the below:

User-added image

4. Type the command shown below to check the VirtualHost configuration syntax:
 

Run ./httpd –S
 
5. Access your domain using a web browser ensure the index.html reflected correctly.

User-added image
 
If there are any errors, please look into error.log for detail and troubleshoot from there.

6. Start Apache at Boot Time. To do so, run the commands in the sequence shown below as the root user:


touch /etc/init.d/apache2
chmod 755 /etc/init.d/apache2
vi /etc/init.d/apache2
(edit it as shown below)
chkconfig --add apache2
chkconfig --list apache2 (to verify that it worked)

Contents of /etc/init.d/apache2:


#!/bin/bash
#
# apache2        Startup script for the Apache HTTP Server
#
# chkconfig: 3 85 15
# description: Apache is a World Wide Web server.  It is used to serve \
#              HTML files and CGI.

/usr/local/apache2/bin/apachectl [email protected]


Note: You can get the runlevel by running /sbin/runlevel. You will need to call your version of apachectl, e.g., /usr/local/apache2/bin/apachectl

7. Submit Certbot Request by using webroot plugins. 

Run the command below:


certbot certonly --webroot -w /usr/local/apache2/htdocs –server https://www.entrust.net/acme/api/v1/directory/CDW-6F2K-O5L2

You will get “Incomplete authorization”. You must approve the request using your Entrust Certificate Services (ECS) account.

8. Login to your ECS account to approve the request:
a. Go to Certificates>Managed Certificates
b. Go to tab Pending Approvals
c. Look for that particular certificate request and check the box besides it. (It should contain “[ACME]” under the Tracking Info column)
d. After the request is checked, select “Approve” under the “Action” dropdown
e. It will then proceed with the certificate creation process.

9. Run certbot again to retrieve the cert. You will obtain the message below:


IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.testcertificates.com/fullchain.pem. Your
cert will expire on 2017-09-13. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le



10. After downloading the certificates via certbot, you must manually configure the apache for SSL. The four file are:
  • privkey.pem
  • fullchain.pem
  • chain.pem
  • cert.pem
Copy privkey.pem, chain.pem and cert.pem to /user/local/apache2/conf.

After, edit /user/local/apache2/conf/extra/httpd-ssl.conf by adding the lines below using nano or vi:


[[email protected] extra]# grep -v "#" httpd-ssl.conf | grep SSLCertificate
SSLCertificateFile "/usr/local/apache2/conf/cert.pem"
SSLCertificateKeyFile "/usr/local/apache2/conf/privkey.pem"
SSLCertificateChainFile "/usr/local/apache2/conf/chain.pem"


Next, edit /usr/local/apache2/conf/httpd.conf as follows:

Remove: 

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf


10. Stop/start apache using the restart command.

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance: 

Hours of Operation: 
Sunday 8:00 PM ET to Friday 8:00 PM ET 
North America (toll free): 1-866-267-9297 
Outside North America: 1-613-270-2680 (or see the list below) 
NOTE: Smart Phone users may use 1-800 numbers for one-touch dialing.
Otherwise, it is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.

 

CountryNumber
Australia0011 - 800-3687-7863
1-800-767-513
Austria00 - 800-3687-7863
Belgium00 - 800-3687-7863
Denmark00 - 800-3687-7863
Finland990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France00 - 800-3687-7863
Germany00 - 800-3687-7863
Hong Kong001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland00 - 800-3687-7863
Israel014 - 800-3687-7863
Italy00 - 800-3687-7863
Japan001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia00 - 800-3687-7863
Netherlands00 - 800-3687-7863
New Zealand00 - 800-3687-7863
0800-4413101
Norway00 - 800-3687-7863
Singapore001 - 800-3687-7863
Spain00 - 800-3687-7863
Sweden00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland00 - 800-3687-7863
Taiwan00 - 800-3687-7863
United Kingdom00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088