Red Hat / CentOS

How To Secure Apache with Let’s Encrypt on CentOS 7

How To Secure Apache with Let's Encrypt on CentOS 7

How To Secure Apache with Let’s Encrypt on CentOS 7

Let’s Encrypt is a free, automated and open certificate authority developed by the Internet Security Research Group (ISRG). Certificates issued by Let’s Encrypt are valid for 90 days from the issue date and are trusted by all major browsers today.

In this tutorial, we will cover the steps necessary to install a free Let’s Encrypt SSL certificate on a CentOS 7 server running Apache as a web server. We will use the certbot utility to obtain and renew Let’s Encrypt certificates.

Testing Sample Environment

How To Secure Apache with Let's Encrypt on CentOS 7

Before starting

Ensure that you have met the following prerequisites before continuing with this tutorial:

  • Have a domain name pointing to your public server IP. In this tutorial we will use example.com.
  • Have Apache installed and running on your server.
  • Have Apache virtual host for your domain.
  • Have port 80 and 443 open in your firewall.

Install Apache Web Server

If not already installed, httpd daemon can be installed by issuing the below command:

# yum install httpd

Install the following packages which are required for an SSL encrypted web server:

# yum install mod_ssl openssl

Finally, start Apache server with the following command:

# systemctl start httpd.service

How To Secure Apache with Let’s Encrypt on CentOS 7

Install Certbot

Before you can actually get a Let’s Encrypt certificate you need to install Certbot. Certbot is the official Let’s Encrypt client and also the easiest way to get a certificate. Open up a terminal and type the commands appropriate for your CentOS installation:

    # sudo yum install epel
    # sudo yum install certbot

Now you need to install the plugin associated with your web server this step is only for CentOS 7. Certbot currently supports multiple plugins:

# yum install certbot-apache

Set up Let’s Encrypt certificate on Apache

If your site is running the Apache web server, you can use the Certbot Apache plugin we installed earlier to automatically obtain and install your certificate:

$ sudo certbot --apache

The interactive procedure will guide you through all the information needed to sign the certificate. Optionally, if you have multiple virtual hosts/domains configured, Certbot will ask you to select the domains included in the new certificate.

If you don’t trust Certbot to install your certificate automatically, you can generate the certificate only (and install it manually later) using the following command:

$ sudo cerbot --apache certonly

Here’s the output for a successful certificate issued:

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/YOURSITE.TLD/fullchain.pem. Your cert will
       expire on DATE. To obtain a new or tweaked version of this
       certificate in the future, simply run certbot again with the
       "certonly" option. To non-interactively renew *all* of your
       certificates, run "certbot renew"
     - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.
     - If you like Certbot, please consider supporting our work by:
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le

Set up Let’s Encrypt certificate using the Certbot webroot plugin

If you can’t or don’t want to use a specific plugin for your web server, you can still obtain a certificate using the webroot plugin. This plugin simply places the secrets needed to complete the authentication challenge in the selected directory. Although this method works with virtually every web server out there, the downside is that you will have to install the certificate manually.

To obtain a certificate through the webroot plugin do:

$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com

This example (taken from the official Certbot site) will request a certificate for example.com and www.example.com using the/var/www/example directory. If the procedure is successful you will get the certificate, but you will need to install it in your web server manually.

Automating renewal with cron

Whatever the procedure you followed, you now have your certificate. Since Let’s Encrypt! certificates are short-lived (90 days) you should renew them before they expire. You can do this manually (every 90 days) or you can automate the process using cron and the Certbot client.

Before actually setting up the auto renewal process, you may want to test the renewal with the following command:

$ sudo certbot renew --dry run

If the certificate is installed correctly and everything is in order, nearing the end you will get a message similar to this and you may proceed:

    ** DRY RUN: simulating 'certbot renew' close to cert expiry
    **          (The test certificates below have not been saved.)
    Congratulations, all renewals succeeded. The following certs have been renewed:
      /etc/letsencrypt/live/YOURSITE/fullchain.pem (success)

or using the SSL Labs Server Test, you’ll get an A+ grade as shown below:

Let’s Encrypt’s certificates are valid for 90 days. To automatically renew the certificates before they expire, we will create a cronjob which will runs twice a day and will automatically renew any certificate 30 days before its expiration.

Run the crontab command to create a new cronjob which will renew the certificate, create a new combined file including the DH key and restart apache :

$ sudo crontab -e
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload httpd"

Save and close the file.

To test the renewal process, you can use the certbot command followed by the --dry-run switch:

 $ sudo certbot renew --dry-run

In this tutorial, you used the Let’s Encrypt client, certbot to download SSL certificates for your domain. You have also created Apache snippets to avoid duplicating code and configured Apache to use the certificates. At the end of the tutorial you have set up a cronjob for automatic certificate renewal.

If you want to learn more about how to use Certbot, their documentation  Let’s Encrypt blog is a good starting point.

 

About the author

Avatar

jon snow

Jon is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, and currently a content creator for ERRORHAT who loves working with computers and strongly believes in sharing knowledge.

Add Comment

Click here to post a comment