Lets Encrypt on CentOS 7 with Apache

0
(0)

Install Let’s Encrypt on CentOS 7 with Apache

Let’s Encrypt is a certification authority that offers free X.509 certificates for Transport Layer Security (TLS). This tutorial explains how to perform Let’s Encrypt SSL using the ACME process with certbot and how to implement Let’s Encrypt on a CentOS 7 host with Apache web server.

Assuming that the Apache web server is already installed, the domain is configured as Apache VirtualHost, and the domain is dissolvable in DNS, with an A-record in the forward zone of that domain, or a quad-A record for the server is entered for IPv6. Furthermore, the server must be accessible via port 80 for the ACME Challenge.

For installation we want to become root.

su -
Password:
Last login: Tue Jan 15 06:25:52 CET 2019 on pts/0
yum -y install epel-release
yum -y install mod_ssl python-certbot-apache

Now restart the Apache web server.

systemctl restart httpd

Open the firewall for SSL with the service port 443.

firewall-cmd --add-service=https
firewall-cmd --runtime-to-permanent

Now let the certbot generate the SSL certificate.

certbot --apache -d mydomain.com -d www.mydomain.com

The first domain should be the base domain. In this example, it is called mydomain.com to replace it with the actual domain name.

The output of the certbot looks something like this.

certbot --apache -d mydomain.com -d www.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Created to SSL vhost at /etc/httpd/conf.d/mydomain-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/mydomain-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number[1-2] then [enter](press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/mydomain.conf to ssl vhost in /etc/httpd/conf.d/mydomain-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://mydomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2019-04-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
   Donating to EFF: https://eff.org/donate-le

Finally, the URL can be tested.

curl -k https://mydomain.com

Get the URL in the browser and verify it with SSL Labs.

https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com
SSL Labs SSL Analyzing Report

The Let’s Encrypt certificate is valid for 90 days. For the automatic renewal of the certificate, we create a new cron job.

crontab -e
 
0 0 * * 0 /usr/bin/certbot renew >> /var/log/certbot.log

The certificate is checked once a week at midnight for renewal.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

Leave a Reply

Your email address will not be published.