Are you looking for an easy-to-follow tutorial to learn how to secure Apache with “Let’s Encrypt” SSL Certificates on CentOS 8? Then keep on reading.
”Let’s Encrypt” is a free, open, and automated certificate authority (CA) that provides digital certificates to enable secure HTTPS (SSL/TLS) connections to websites. It comes from the nonprofit organization Internet Security Research Group (ISRG).
Securing your web server is crucial to gain the trust of your visitors. With ”Let’s Encrypt”, you can do that for absolutely no cost. There is no renewal fee either.
We will see the whole process of doing it. But before that, you should know about the prerequisites.
Prerequisites to Secure Apache with Let’s Encrypt Certificate
Some requirements before you start following this tutorial:
- An Apache web server.
If you don’t have Apache installed, you can install it using the following command:
$ sudo dnf install httpd
You can check if the server is running successfully with this command:
$ sudo systemctl status httpd
- A registered domain name that you want to secure with an SSL certificate.
- A static IP address for your server.
- DNS records for your domain to point to your server’s IP address. Specifically, you will need to set up an ‘A’ record for your domain that points to your server’s IP address.
- Allow traffic on ports 80 and 443 through your firewall. You can do this by running the following commands:
$ sudo firewall-cmd --permanent --add-service=http $ sudo firewall-cmd --permanent --add-service=https $ sudo firewall-cmd --reload
How to Secure Apache With “Let’s Encrypt” SSL Certificate
Now you will go through the required steps to secure Apache with “Let’s Encrypt” on your CentOS machine. It may seem daunting at first. But if you follow the instructions and run the commands as shown, it shouldn’t feel that hard.
So then, let’s go through each step.
Install ‘certbot’ and ‘mod_ssl’
‘certbot’ is a free, open-source software tool for obtaining and installing digital certificates from ”Let’s Encrypt”.
‘mod_ssl’ is an optional Apache module. It enables strong cryptography for the web server.
Before you can install ‘certbot’, you need to add the Extra Packages for Enterprise Linux (EPEL) repo to your system using this command:
$ sudo dnf install epel-release
After that, you can install ‘certbot’ now. Install it and other packages with the following command:
$ sudo dnf install certbot python3-certbot-apache mod_ssl
Create an Apache Virtual Host
Since you’re using Apache, you can host multiple domains using a single IP address. But to do that, you will need to create a virtual host first.
Create a directory for storing the necessary files with this command:
$ sudo mkdir /var/www/yoursite.com
You can create a test file and put it here. Use this command:
$ sudo echo “<h1>This is a test Apache Virtual Host</h1>” > /var/www/yoursite.com/index.html
After that, create a virtual host file with the following command:
$ sudo nano /etc/httpd/conf.d/yoursite.com
For the configuration itself, use this template:
<VirtualHost *:443> ServerName yoursite.com ServerAlias www.yoursite.com DocumentRoot /var/www/yoursite.com/ <Directory /var/www/yoursite.com/> Options -Indexes +FollowSymLinks AllowOverride All </Directory> ErrorLog /var/log/httpd/www.yoursite.com-error.log CustomLog /var/log/httpd/www.yoursite.com-access.log combined </VirtualHost>
Save with “Ctrl+O”. And then exit with “Ctrl+X”.
When that’s done, change the permission settings for the configuration file with this command:
$ sudo chown -R apache:apache /var/www/yoursite.com
The last thing to do is to restart the Apache device. Use this command:
$ sudo systemctl restart httpd
Get the “Let’s Encrypt” Certificate
The next step is obtaining the certificate for your domain.
Since we’re using ‘certbot’, it automates a lot of the process of getting the certificate. To install a single domain certificate, use the command below:
$ sudo certbot --apache -d yoursite.com
Another way to use this command is to add several parameters as domains or subdomains after the first domain. This ensures that the first domain is the base domain. You will need to add the
-d flag with every parameter.
The command looks like this:
$ sudo certbot --apache -d yoursite.com -d www.yoursite.com
If you decide not to use any parameter, then ‘certbot’ will ask you for one depending on your Apache config. The command is as follows:
$ sudo certbot --apache
You will be taken through an installation process. Complete each step to finish installing the certificates.
If you correctly followed the steps and installed the certificates, you will be congratulated with a message like this:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/yoursite.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/yoursite.com/privkey.pem Your cert will expire on yyyy-mm-dd. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
You can find the certificates in the “/etc/letsencrypt/live directory”.
Test Your Certificate and Setup
There are a few ways you can test this. One way is to visit your domain on a web browser.
1. Open a browser and visit your domain.
2. Notice the URL. You should see a lock icon. Click on it.
3. Go to Connection is Secure > Certificate is Valid (This is if you’re using Google Chrome. Other browsers may have a different path).
You can find all the details, such as the name of the organization the certificate was issued by, the validity period, and fingerprints.
Another way is to test the certificate on ‘Qualys’. You can do so by opening this URL on a web browser and entering your domain.
If all goes well, you should get an ‘A’ grade on the test. But if you didn’t get the expected score, see how you can improve it. And if it’s because you failed to install the certificate, go back and cross-check the steps.
Auto Renew the Certificate
”Let’s Encrypt” certificate validity lasts for 90 days. But you can renew them for free. Even better, you can automate this renewal process, thanks to ‘certbot’. For this, you need to run the below command:
$ sudo certbot renew --dry-run
The ‘renew’ command will check if the validity of your certificates is less than 30 days or not try to renew them.
The ‘–dry-run’ option allows you to create a simulation of the command.
After running the command, you should receive a message like this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/yoursite.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator apache, Installer apache Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for yoursite.com http-01 challenge for www.yoursite.com Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-staging-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/example.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/yoursite.com/fullchain.pem (success) …
You can also use ‘cron’ to set auto-renewal. If you choose the ‘cron’ method, then the recommended usage is twice per day.
And then, you have to append the following script to the crontab file:
$ echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
This article shows you how to secure Apache with a “Let’s Encrypt” SSL certificate on a CentOS 8. We’ve covered the prerequisites so that you’re ready to begin the process by yourself. We’ve also shown you each command and the output.
Of course, it’s not an easy task, but if you follow this tutorial properly, you can get your domain name certified in no time. If you still face any problems, let us know in the comments below.
If this guide helped you, please share it.