How to Install Let’s Encrypt SSL on CentOS 7 Running Apache Web Server

VPS

access_time

February 4, 2019

hourglass_empty

3min Read

person_outline

Edgaras G.

How to Install Let’s Encrypt SSL on CentOS 7 Running Apache Web Server

In this tutorial, you will learn the procedure of TLS/SSL certificate installation on Apache web server. Once you are finished, all traffic between server and client will be encrypted. This is a standard practice of securing e-commerce websites and other financial services online. Let’s Encrypt is the pioneer in free SSL implementation and it will be used as the certificate provider in this case.

What you’ll need

Before you begin this guide you’ll need the following:

  • SSH root access to the CentOS 7 VPS
  • The Apache web server with properly configured domain and vhost

Step 1 — Installing dependent modules

In order to install certbot you will have to install EPEL repository as it’s not available by default, mod_ssl is also required for the encryption to be recognized by the Apache.

To install both these dependencies, please run this command:

yum install epel-release mod_ssl

Now you should be ready to proceed further and install the certbot itself.

Step 2 — Downloading the Let’s Encrypt client

Next, you will install the certbot client from EPEL repository:

yum install python-certbot-apache

The certbot should now be installed and available for actual use.

Step 3 — Setting up the SSL certificate

Certbot will handle the SSL certificate management quite easily, it will generate a new certificate for provided domain as a parameter.

In this case, example.com will be used as the domain for which the certificate will be issued:

certbot --apache -d example.com

If you want to generate SSL for multiple domains or subdomains, please run this command:

certbot --apache -d example.com -d www.example.com

IMPORTANT! The first domain should be your base domain, in this sample it’s example.com

While installing the certificate you will be presented with a step-by-step guide which will let you customize certificate details. You will be able to choose between forcing HTTPS or leaving HTTP as the default protocol, providing an email address will be required as well for security purposes.

Once the installation completes, you should be presented with similar message:

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to user@example.com.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2016-04-21. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 4 — Setting up auto renewal of the certificate

Let’s Encrypt certificates are valid for 90 days, but every web professional will recommend you to renew it within 60 days in order to avoid any issues. To accomplish this, the certbot will help us with its renew command. It will check if the certificate is less than 30 days away from expiration.

Please run this command to proceed:

certbot renew

If the installed certificate is recent, the certbot will only check for its expiration date:

Processing /etc/letsencrypt/renewal/example.com.conf

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.

To automate this renewal process you could setup a cronjob. Firstly, open the crontab:

crontab -e

This job can be safely scheduled to run every Monday at midnight:

0 0 * * 1 /usr/bin/certbot renew >> /var/log/sslrenew.log

The output of the script will be piped to /var/log/sslrenew.log file.

Conclusion

You have just secured your Apache web server by implementing the most anticipated security feature – free SSL certificate! From now on all traffic between server and client is encrypted, you can be assured that no one could intercept the communication and alter or steal crucial information.

The Author

Author

Edgaras G. / @edgaras

Edgaras is a veteran server administrator at Hostinger. He makes sure that every server runs at full throttle and has all the latest technological advancements. When he's not working, Edgaras enjoys skiing and exploring the world.

Featured tutorials

How to Make a Website – The All-in-One Guide

14 Nov • Drupal Joomla! WordPress

How to Make a Website – The All-in-One Guide

Read More →
How to Start a Blog – The Complete Guide

21 Aug • WordPress

How to Start a Blog – The Complete Guide

Read More →
How to Buy a Domain Name – A Simple Guide

12 Jul • Domain

How to Buy a Domain Name – A Simple Guide

Read More →

Related tutorials

How to Make a Minecraft Server – The Complete Tutorial

02 Dec • VPS

How to Make a Minecraft Server – The Complete Tutorial

Read More →
Iptables Tutorial – Securing Ubuntu VPS with Linux Firewall

29 Nov • VPS

Iptables Tutorial – Securing Ubuntu VPS with Linux Firewall

Read More →
How to Install and Use Nano Text Editor: A Beginner’s Tutorial

21 Nov • SSH VPS

How to Install and Use Nano Text Editor: A Beginner’s Tutorial

Read More →

Leave a reply

Comment*

Name*

Email*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Become a part of Hostinger now!

Get Started NOW