How to Install Let's Encrypt SSL on CentOS 7 Running Apache Web Server

Updated on March 29, 2019
How to Install Let's Encrypt SSL on CentOS 7 Running Apache Web Server header image

Introduction

In this tutorial, you will learn the procedure for installing the TLS/SSL certificate on the Apache web server. When finished, all traffic between server and client will be encrypted. This is a standard practice of protecting e-commerce sites and other financial services online. Let's Encrypt is the pioneer in implementing free SSL and will be used as the certificate provider in this case.

Prerequisites

Before you begin this guide, you will need the following:

  • SSH root access to a CentOS 7 VPS
  • Apache web server with domain and vhost configured correctly
  • A non-root sudo user

Installing dependent modules

To install certbot you will have to install the EPEL repository as it is not available by default, mod_ssl is also required for encryption to be recognized by Apache:

sudo yum install -y epel-release mod_ssl

Downloading the Let's Encrypt client

Next, you will install the certbot client from the EPEL repository:

sudo yum install python-certbot-apache

Obtain and configure the SSL certificate

Certbot will handle SSL certificate management quite easily. It will generate a new certificate for the provided domain as a parameter.

In this case, example.com will be used as the domain to which the certificate will be issued:

sudo certbot --apache -d example.com

If you want to generate SSL for multiple domains or sub-domains, use the following command:

sudo certbot --apache -d example.com -d www.example.com

Note: The first domain should be your base domain, in this example: example.com.

When you install the certificate, you will receive a step-by-step guide that will allow you to customize the certificate details. You will be able to choose between forcing HTTPS or leaving HTTP as the default protocol. Providing an email address will be required as well, for security reasons.

When the installation is complete, you will receive a similar message:

IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
emails sent to user@example.com.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2019-04-21. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at / etc / letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also have certificates and private keys obtained by Let's
Encrypt so regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:

Configuring automatic certificate renewal

Let's encrypt certificates are valid for 90 days. It is recommended to renew it within 60 days, in order to avoid any problems. To achieve this, certbot will assist us with your renewal command. It will verify that the certificate is less than 30 days from expiration:

sudo certbot renew

If the installed certificate is recent, certbot will only verify its expiration date:

Processing  /etc/letsencrypt/renewal/example.com.conf
The following certs are not due for renewal yet:
	/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.

To automate this renewal process, you can set up a cronjob. First, open the crontab:

sudo crontab -e

This work can be safely scheduled to run every Monday at midnight:

0 0 * * 1 / usr / bin / certbot renew >> /var/log/sslrenew.log

The output of the script will be piped to the /var/log/sslrenew.log file.

Conclusion

You just secured your Apache web server by implementing a free SSL certificate. From now on all traffic between server and client is encrypted.