For a secure website browsing experience, SSL encryption is crucial. Certificate Authority providers like Let’s Encrypt provide SSL certificates to protect sensitive data from being accessed by malicious hackers.
In this tutorial, we will walk you through the steps to use Certbot, a tool that streamlines the process of obtaining and installing TLS/SSL certificates from Let’s Encrypt. We will focus on setting this up on a CentOS 7 server with Apache as the web server, including the automatic renewal configuration.
Prerequisites
- A CentOS 7 server with a non-root user possessing sudo privileges.
- A basic firewall configuration.
- Apache installed on the CentOS 7 server with a configured virtual host. Ensure a virtual host file for your website exists. In this example, we will use /etc/httpd/sites-available/example.com.conf.
- A registered domain name for which you intend to obtain an SSL certificate. Bluehoster offers domain registration services at affordable prices. Choose a domain name and establish your online identity.
- A DNS “A” record that points your registered domain to your server’s public IP address. This is crucial because Let’s Encrypt validates that you are the domain owner before issuing the certificate.
Once these requirements are met, you can proceed with the installation of the Let’s Encrypt client.
Steps to Install Let’s Encrypt on Apache CentOS 7
Installing the Certbot Let’s Encrypt Client
First, install Certbot and mod_ssl. mod_ssl is an Apache module that enables SSL v3 encryption.
The default package manager does not include the certbot package. Certbot requires the EPEL (Extra Packages for Enterprise Linux) repository to be enabled.
Run the following command to add the CentOS 7 EPEL repository:
sudo yum install epel-release
After enabling the repository, install the necessary packages:
sudo yum install certbot python2-certbot-apache mod_ssl
During the installation, you will be prompted to import a GPG key to verify the package’s authenticity. Type ‘y’ and press ENTER to accept this key.
After these services are installed, you’re ready to run Certbot and obtain your certificates.
Getting a Certificate
With Certbot installed, use it to request an SSL certificate for your registered domain. Certbot automates many steps involved in SSL certificate registration. Based on the provided parameters, it will obtain and install a new SSL certificate for your specified domain(s).
Run the following command to initiate interactive installation and obtain a certificate for a single domain:
sudo certbot --apache -d example.com
The -d flag specifies the domain for which the certificate will be configured. If you want to install a single certificate covering multiple domains or subdomains, include additional -d flag arguments:
sudo certbot --apache -d example.com -d www.example.com
Here, ‘example.com’ is the base domain. Remember, Let’s Encrypt uses the first domain listed to generate the certificate’s primary identification, so list your base domain first, followed by subdomains.
Alternatively, you can run certbot without specifying domains, which will allow you to configure your certificate step-by-step:
sudo certbot –apache
This method will ask you to agree to the terms of service and provide an email address (for key recovery and notices). If you don’t specify domain names in the command, Certbot will prompt you to choose a virtual host file. By default, the ssl.conf file is used.
Additionally, you’ll be asked whether you wish to use HTTP, HTTPS port, or force redirection to HTTPS. For optimal security, forcing redirection is recommended, especially if you don’t need to allow unencrypted connections. Select your preference and press ENTER.
Output Example:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):2
Successful installation will display a message similar to this:
Output
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-08-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Generated certificates are stored in subdirectories within the `live` directory, typically named after the base domain for easy access. If your certificate was successful, the SSL certificate is installed, downloaded, and loaded into your Apache configuration. It’s always a best practice to confirm that it is working properly.
Checking the Certificate Status
Verify the status of the SSL certificate on your domain by using this link, replacing example.com with your actual domain:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
This tool will analyze your server’s SSL connection and will give a graded letter rating based on the security and quality of the configuration. After the test, the page will show detailed tests and reports.
To better understand the grading system, search online for “SSL Labs grading scheme 2018”. You can also look at your browser and reload your site using https://. A green lock icon before your URL means the website is secure and using the certificate.
With your certificates verified, setting up automatic renewal ensures continuous validation of the certificate before expiration.
Auto Renew the Let’s Encrypt Certificate
SSL certificates expire. To prevent that, run the following command to test the automatic renewal process. This will simulate a renewal without actually changing your current certificate. The renewal process will trigger 30 days before your current certificate expires.
sudo certbot renew --dry-run
The output should be similar to:
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Processing /etc/letsencrypt/renewal/example.com.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification…
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
…
The output might only show your base domain even if you created a single certificate for multiple domains. However, all included domains will still be covered by the renewal.
To ensure your certificates don’t expire, set up a cron job to run the renewal command automatically. Creating a cron job to execute weekly or even daily will not create problems, as renewal is checked against the expiry date. Renewal only happens when the certificate is within 30 days of expiration.
Use the following command to start editing the crontab file:
sudo crontab -e
Your default crontab file should be empty, and you can add a new line, as shown below:
crontab
. . .
15 3 * /usr/bin/certbot renew –quiet
This will execute the renewal command every day at 3:15am. You can adjust the time to suit your needs.
The renew command will verify and renew all certificates on your system within 30 days of expiation. The --quiet instructs Certbot to run silently without any output or user interaction.
With this cron job, your certificate will automatically renew at the appropriate interval.
This tutorial covered how to install an SSL certificate on a CentOS 7 server running Apache, how to implement auto renewal of SSL certificates and how to setup a cron job to automate the renewal process. If you have more questions or need further help, the experts at Bluehoster are ready to assist.
