How to Install Let’s Encrypt SSL on CentOS 7 Running Apache Web Server

In this tutorial, you will learn the procedure of TLS/SSL certificate installation on Apache web server. Once you are finished, all traffic between server and client will be encrypted. This is a standard practice of securing e-commerce websites and other financial services online. Let’s Encrypt is the pioneer in free SSL implementation and it will be used as the certificate provider in this case.

What you’ll need

Before you begin this guide you’ll need the following:

• SSH root access to the CentOS 7 VPS
• The Apache web server with properly configured domain and vhost

Step 1 — Installing dependent modules

In order to install certbot you will have to install EPEL repository as it’s not available by default, mod_ssl is also required for the encryption to be recognized by the Apache.

To install both these dependencies, please run this command:

yum install epel-release mod_ssl

Now you should be ready to proceed further and install the certbot itself.

Step 2 — Downloading the Let’s Encrypt client

Next, you will install the certbot client from EPEL repository:

yum install python-certbot-apache

The certbot should now be installed and available for actual use.

Step 3 — Setting up the SSL certificate

Certbot will handle the SSL certificate management quite easily, it will generate a new certificate for provided domain as a parameter.

In this case, example.com will be used as the domain for which the certificate will be issued:

certbot --apache -d example.com

If you want to generate SSL for multiple domains or subdomains, please run this command:

certbot --apache -d example.com -d www.example.com

While installing the certificate you will be presented with a step-by-step guide which will let you customize certificate details. You will be able to choose between forcing HTTPS or leaving HTTP as the default protocol, providing an email address will be required as well for security purposes.

Once the installation completes, you should be presented with similar message:

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to user@example.com.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2016-04-21. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 4 — Setting up auto renewal of the certificate

Let’s Encrypt certificates are valid for 90 days, but every web professional will recommend you to renew it within 60 days in order to avoid any issues. To accomplish this, the certbot will help us with its renew command. It will check if the certificate is less than 30 days away from expiration.

Please run this command to proceed:

certbot renew

If the installed certificate is recent, the certbot will only check for its expiration date:

Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.

To automate this renewal process you could setup a cronjob. Firstly, open the crontab:

crontab -e

This job can be safely scheduled to run every Monday at midnight:

0 0 * * 1 /usr/bin/certbot renew >> /var/log/sslrenew.log

The output of the script will be piped to /var/log/sslrenew.log file.

Conclusion

You have just secured your Apache web server by implementing the most anticipated security feature – free SSL certificate! From now on all traffic between server and client is encrypted, you can be assured that no one could intercept the communication and alter or steal crucial information.