Installasi Let’s Encrypt Untuk LPSE di Centos 7

Tambah di file /etc/httpd/conf/httpd.conf

<VirtualHost *:80>
LogLevel warn
CustomLog /var/log/httpd/access.log combined
ServerAdmin helpdesk@gmail.com
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

sudo systemctl start httpd
sudo yum install epel-release
sudo yum install mod_ssl python-certbot-apache
sudo certbot --apache -d example.com -d www.example.com

Ubah file /etc/httpd/conf.d/ssl.conf

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
ServerName example.com
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

Aktifkan ChipherOrder

Tambahkan script berikut diantara tag ….. dan tetap dibawah tulisan SSLProtocol all -SSLv2 -SSLv3

SSLHonorCipherOrder On
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCMSHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSAAES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHERSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCMSHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"

Aktifkan HSTS

Tambahkan script berikut diantara tag ….. juga

< IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
< /IfModule>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

Lanjutkan …

sudo systemctl restart httpd
sudo crontab -e
0 2 * */2 * /usr/bin/certbot renew >> /var/log/le-renew.log

Silahkan uji SSL LPSE Anda di https://www.ssllabs.com/ssltest/

yihuiii….

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *