How to Install a Let's Encrypt SSL/TLS Certificate on CentOS 7 with Apache Web Server

Updated on November 5, 2021
How to Install a Let's Encrypt SSL/TLS Certificate on CentOS 7 with Apache Web Server header image

Introduction

Let's Encrypt is a free, automated, and open certificate authority provided by the Internet Security Research Group. In this tutorial, you use Certbot, a free, open-source tool used to streamline the installation process of Let's Encrypt SSL certificates for already configured web servers. SSL certificates are used to secure web traffic and allow HTTPS on websites.

Prerequisites

Before setting up Certbot, you should:

Install Snap

  1. The current recommended method of installing Certbot is through the snap package manager. To install the snap package manager through Yum, you must install the Extra Packages for Enterprise Linux (EPEL) repository, as snap is not present within the default CentOS repositories.

     $ sudo yum install epel-release
  2. With the EPEL repository added to your CentOS repositories, install the snapd package:

     $ sudo yum install snapd
  3. After you've installed the snapd package, it is necessary to enable it through the system service manager:

     $ sudo systemctl enable --now snapd.socket
  4. Create a system link to enable support for classic snaps:

     $ ln -s /var/lib/snapd/snap /snap
  5. Either log out and back in or restart to update snap's paths.

  6. Update snapd to the latest version.

     $ snap install core; snap refresh core

Install Certbot

With the EPEL repository added, install Certbot through snap:

$ sudo snap install --classic certbot

Get SSL Certificate

Certbot automatically takes care of SSL certificate management and installation. Specify a domain, and the current web server in use. In this example, the domain example.com is receiving a certificate:

$ sudo certbot --apache -d example.com

If you require SSL for multiple domains, specify them using the following command, ensuring the first domain specified is the base domain:

$ sudo certbot --apache -d example.com -d www.example.com

After you run the command specified earlier, you will see step-by-step instructions with choices about the contact email address, forcing HTTPS, and various certificate settings.

When the certificate installation concludes, a similar message should appear on your screen:

IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
emails sent to user@example.com.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2019-04-21. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at / etc / letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also have certificates and private keys obtained by Let's
Encrypt so regular backups of this folder is ideal.

Enabling Automatic Certificate Renewal

Let's Encrypt certificates are valid for 90 days and have to be manually renewed afterward. It's suggested to renew the certificates after 60 days though, to prevent potential issues. You can renew certificates by using the following command:

$ sudo certbot renew

To enable automatic certification renewal, create a new cronjob:

$ sudo crontab -e

And then schedule the task to run every Monday at midnight:

$ 0 0 * * 1 / usr / bin / certbot renew >> /var/log/sslrenew.log

Note: The script logs to the /var/log/sslrenew.log file.

Conclusion

You've just configured SSL and enabled HTTPS on your Apache web server. As a result, all traffic going through your server is now encrypted.