So, it's been a year since I installed my (paid for) certificate and much has changed in web-land. Chief among them, on the SSL front, has been LetsEncrypt which offers free SSL certificates to anyone who requests them.
As I wasn't entirely enamoured with the idea of running "a fairly solid beta-quality Apache plugin", and I have full access to the webserver, this is a guide to installing it manually.
Install the epel repository
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm # Resolving dl.fedoraproject.org (dl.fedoraproject.org)... 184.108.40.206, 220.127.116.11, 18.104.22.168, ... # Connecting to dl.fedoraproject.org (dl.fedoraproject.org)|22.214.171.124|:443... connected. rpm -Uvh epel-release-latest-7.noarch.rpm
Install certbot (the LetsEncrypt client)
yum install python-certbot-apache # request a new certificate for chrishewett.com and www.chrishewett.com # -w option is the webroot of the site as certbot needs to add content to check you own the domain # --dry-run first to test it will work certbot certonly --dry-run --webroot -w /home/sites/chrishewett_com/web/app/webroot/ -d chrishewett.com -d www.chrishewett.com # if no errors then run for real certbot certonly --webroot -w /home/sites/chrishewett_com/web/app/webroot/ -d chrishewett.com -d www.chrishewett.com # Interactive series of prompts will appear to go through the process
yum install mod_ssl # Disable SSLv3 to stop POODLE bug nano /etc/httpd/conf.d/ssl.conf # SSLProtocol all -SSLv2 -SSLv3 nano /etc/httpd/conf/httpd.conf
<VirtualHost *:443> ServerName chrishewett.com ServerAlias www.chrishewett.com DocumentRoot /home/sites/chrishewett_com/app/public DirectoryIndex index.php <Directory /home/sites/chrishewett_com/app/public> AddType application/x-httpd-php .php Options +ExecCGI +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch AllowOverride All Require all granted </Directory> SSLEngine on SSLCertificateKeyFile /etc/letsencrypt/live/chrishewett.com/privkey.pem SSLCertificateFile /etc/letsencrypt/live/chrishewett.com/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/chrishewett.com/chain.pem </VirtualHost>
systemctl reload httpd.service # Browse to your site, click on the padlock symbol and verify that the certificate is now LetsEncrypt
Setup Cronjob to auto renew
#Test the auto renew feature is working certbot renew --dry-run # ... # Congratulations, all renewals succeeded. The following certs have been renewed: # ... crontab -e #Attempt to auto renew LetsEncrypt certificate at 6:30/15:30 each day (recommended to do it this often in the official guide) # 30 6,15 * * * certbot renew --quiet