Introduction
In this tutorial, you will learn the procedure of TLS/SSL certificate installation on Apache web server. Once you are finished, all traffic between server and client will be encrypted. This is a standard practice of securing e-commerce websites and other financial services online. Let’s Encrypt is the pioneer in free SSL implementation and it will be used as the certificate provider in this case.
What you’ll need
Before you begin this guide you’ll need the following:
- SSH root access to the CentOS 7 VPS
- The Apache web server with properly configured domain and vhost
Table of Contents
Step 1 — Installing dependent modules
In order to install certbot you will have to install EPEL repository as it’s not available by default, mod_ssl is also required for the encryption to be recognized by the Apache.
To install both these dependencies, please run this command:
yum install epel-release mod_ssl
Now you should be ready to proceed further and install the certbot itself.
Step 2 — Downloading the Let’s Encrypt client
Next, you will install the certbot client from EPEL repository:
yum install python-certbot-apache
The certbot should now be installed and available for actual use.
Step 3 — Setting up the SSL certificate
Certbot will handle the SSL certificate management quite easily, it will generate a new certificate for provided domain as a parameter.
In this case, example.com will be used as the domain for which the certificate will be issued:
certbot --apache -d example.com
If you want to generate SSL for multiple domains or subdomains, please run this command:
certbot --apache -d example.com -d www.example.com
IMPORTANT! The first domain should be your base domain, in this sample it’s example.com
While installing the certificate you will be presented with a step-by-step guide which will let you customize certificate details. You will be able to choose between forcing HTTPS or leaving HTTP as the default protocol, providing an email address will be required as well for security purposes.
Once the installation completes, you should be presented with similar message:
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to user@example.com.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2016-04-21. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leStep 4 — Setting up auto renewal of the certificate
Let’s Encrypt certificates are valid for 90 days, but every web professional will recommend you to renew it within 60 days in order to avoid any issues. To accomplish this, the certbot will help us with its renew command. It will check if the certificate is less than 30 days away from expiration.
Please run this command to proceed:
certbot renew
If the installed certificate is recent, the certbot will only check for its expiration date:
Processing /etc/letsencrypt/renewal/example.com.conf
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.To automate this renewal process you could setup a cronjob. Firstly, open the crontab:
crontab -e
This job can be safely scheduled to run every Monday at midnight:
0 0 * * 1 /usr/bin/certbot renew >> /var/log/sslrenew.log
The output of the script will be piped to /var/log/sslrenew.log file.
Conclusion
You have just secured your Apache web server by implementing the most anticipated security feature – free SSL certificate! From now on all traffic between server and client is encrypted, you can be assured that no one could intercept the communication and alter or steal crucial information.
Add Comment