How To Secure Apache with Let’s Encrypt on CentOS 7
Let’s Encrypt is a free, automated and open certificate authority developed by the Internet Security Research Group (ISRG). Certificates issued by Let’s Encrypt are valid for 90 days from the issue date and are trusted by all major browsers today.
In this tutorial, we will cover the steps necessary to install a free Let’s Encrypt SSL certificate on a CentOS 7 server running Apache as a web server. We will use the certbot utility to obtain and renew Let’s Encrypt certificates.
Testing Sample Environment
Ensure that you have met the following prerequisites before continuing with this tutorial:
- Have a domain name pointing to your public server IP. In this tutorial we will use
- Have Apache installed and running on your server.
- Have Apache virtual host for your domain.
- Have port 80 and 443 open in your firewall.
Install Apache Web Server
If not already installed, httpd daemon can be installed by issuing the below command:
# yum install httpd
Install the following packages which are required for an SSL encrypted web server:
# yum install mod_ssl openssl
Finally, start Apache server with the following command:
# systemctl start httpd.service
How To Secure Apache with Let’s Encrypt on CentOS 7
Before you can actually get a Let’s Encrypt certificate you need to install Certbot. Certbot is the official Let’s Encrypt client and also the easiest way to get a certificate. Open up a terminal and type the commands appropriate for your CentOS installation:
# sudo yum install epel # sudo yum install certbot
Now you need to install the plugin associated with your web server this step is only for CentOS 7. Certbot currently supports multiple plugins:
# yum install certbot-apache
Set up Let’s Encrypt certificate on Apache
If your site is running the Apache web server, you can use the Certbot Apache plugin we installed earlier to automatically obtain and install your certificate:
$ sudo certbot --apache
The interactive procedure will guide you through all the information needed to sign the certificate. Optionally, if you have multiple virtual hosts/domains configured, Certbot will ask you to select the domains included in the new certificate.
If you don’t trust Certbot to install your certificate automatically, you can generate the certificate only (and install it manually later) using the following command:
$ sudo cerbot --apache certonly
Here’s the output for a successful certificate issued:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/YOURSITE.TLD/fullchain.pem. Your cert will expire on DATE. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Set up Let’s Encrypt certificate using the Certbot webroot plugin
If you can’t or don’t want to use a specific plugin for your web server, you can still obtain a certificate using the webroot plugin. This plugin simply places the secrets needed to complete the authentication challenge in the selected directory. Although this method works with virtually every web server out there, the downside is that you will have to install the certificate manually.
To obtain a certificate through the webroot plugin do:
$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com
This example (taken from the official Certbot site) will request a certificate for example.com and www.example.com using the/var/www/example directory. If the procedure is successful you will get the certificate, but you will need to install it in your web server manually.
Automating renewal with cron
Whatever the procedure you followed, you now have your certificate. Since Let’s Encrypt! certificates are short-lived (90 days) you should renew them before they expire. You can do this manually (every 90 days) or you can automate the process using cron and the Certbot client.
Before actually setting up the auto renewal process, you may want to test the renewal with the following command:
$ sudo certbot renew --dry run
If the certificate is installed correctly and everything is in order, nearing the end you will get a message similar to this and you may proceed:
** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/YOURSITE/fullchain.pem (success)
or using the SSL Labs Server Test, you’ll get an A+ grade as shown below:
Auto-renewing Let’s Encrypt SSL certificate
Let’s Encrypt’s certificates are valid for 90 days. To automatically renew the certificates before they expire, we will create a cronjob which will runs twice a day and will automatically renew any certificate 30 days before its expiration.
crontab command to create a new cronjob which will renew the certificate, create a new combined file including the DH key and restart apache :
$ sudo crontab -e
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload httpd"
Save and close the file.
To test the renewal process, you can use the certbot command followed by the
$ sudo certbot renew --dry-run
In this tutorial, you used the Let’s Encrypt client, certbot to download SSL certificates for your domain. You have also created Apache snippets to avoid duplicating code and configured Apache to use the certificates. At the end of the tutorial you have set up a cronjob for automatic certificate renewal.