Author: Cole BrazinskiLast Updated: Fri, Nov 5, 2021
Let's Encrypt is a free, automated, and open certificate authority provided by the Internet Security Research Group. In this tutorial, you use Certbot, a free, open-source tool used to streamline the installation process of Let's Encrypt SSL certificates for already configured web servers. SSL certificates are used to secure web traffic and allow HTTPS on websites.
Before setting up Certbot, you should:
The current recommended method of installing Certbot is through the snap package manager. To install the snap package manager through Yum, you must install the Extra Packages for Enterprise Linux (EPEL) repository, as snap is not present within the default CentOS repositories.
$ sudo yum install epel-release
With the EPEL repository added to your CentOS repositories, install the
$ sudo yum install snapd
After you've installed the
snapd package, it is necessary to enable it through the system service manager:
$ sudo systemctl enable --now snapd.socket
Create a system link to enable support for classic snaps:
$ ln -s /var/lib/snapd/snap /snap
Either log out and back in or restart to update snap's paths.
Update snapd to the latest version.
$ snap install core; snap refresh core
With the EPEL repository added, install Certbot through snap:
$ sudo snap install --classic certbot
Certbot automatically takes care of SSL certificate management and installation.
Specify a domain, and the current web server in use. In this example, the domain
example.com is receiving a certificate:
$ sudo certbot --apache -d example.com
If you require SSL for multiple domains, specify them using the following command, ensuring the first domain specified is the base domain:
$ sudo certbot --apache -d example.com -d www.example.com
After you run the command specified earlier, you will see step-by-step instructions with choices about the contact email address, forcing HTTPS, and various certificate settings.
When the certificate installation concludes, a similar message should appear on your screen:
IMPORTANT NOTES: - If you lose your account credentials, you can recover through emails sent to email@example.com. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2019-04-21. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at / etc / letsencrypt. You should make a secure backup of this folder now. This configuration directory will also have certificates and private keys obtained by Let's Encrypt so regular backups of this folder is ideal.
Let's Encrypt certificates are valid for 90 days and have to be manually renewed afterward. It's suggested to renew the certificates after 60 days though, to prevent potential issues. You can renew certificates by using the following command:
$ sudo certbot renew
To enable automatic certification renewal, create a new cronjob:
$ sudo crontab -e
And then schedule the task to run every Monday at midnight:
$ 0 0 * * 1 / usr / bin / certbot renew >> /var/log/sslrenew.log
Note: The script logs to the /var/log/sslrenew.log file.
You've just configured SSL and enabled HTTPS on your Apache web server. As a result, all traffic going through your server is now encrypted.