Are you looking for an easy-to-follow tutorial to learn how to secure Apache with “Let’s Encrypt” SSL Certificates on CentOS 8? Then keep on reading.
”Let’s Encrypt” is a free, open, and automated certificate authority (CA) that provides digital certificates to enable secure HTTPS (SSL/TLS) connections to websites. It comes from the nonprofit organization Internet Security Research Group (ISRG).
Securing your web server is crucial to gain the trust of your visitors. With ”Let’s Encrypt”, you can do that for absolutely no cost. There is no renewal fee either.
We will see the whole process of doing it. But before that, you should know about the prerequisites.
Prerequisites to Secure Apache with Let’s Encrypt Certificate
Some requirements before you start following this tutorial:
- An Apache web server.
If you don’t have Apache installed, you can install it using the following command:
$ sudo dnf install httpdYou can check if the server is running successfully with this command:
$ sudo systemctl status httpd- A registered domain name that you want to secure with an SSL certificate.
- A static IP address for your server.
- DNS records for your domain to point to your server’s IP address. Specifically, you will need to set up an ‘A’ record for your domain that points to your server’s IP address.
- Allow traffic on ports 80 and 443 through your firewall. You can do this by running the following commands:
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reloadHow to Secure Apache With “Let’s Encrypt” SSL Certificate
Now you will go through the required steps to secure Apache with “Let’s Encrypt” on your CentOS machine. It may seem daunting at first. But if you follow the instructions and run the commands as shown, it shouldn’t feel that hard.
So then, let’s go through each step.
Install ‘certbot’ and ‘mod_ssl’
‘certbot’ is a free, open-source software tool for obtaining and installing digital certificates from ”Let’s Encrypt”.
‘mod_ssl’ is an optional Apache module. It enables strong cryptography for the web server.
Before you can install ‘certbot’, you need to add the Extra Packages for Enterprise Linux (EPEL) repo to your system using this command:
$ sudo dnf install epel-releaseAfter that, you can install ‘certbot’ now. Install it and other packages with the following command:
$ sudo dnf install certbot python3-certbot-apache mod_sslCreate an Apache Virtual Host
Since you’re using Apache, you can host multiple domains using a single IP address. But to do that, you will need to create a virtual host first.
Create a directory for storing the necessary files with this command:
$ sudo mkdir /var/www/yoursite.comYou can create a test file and put it here. Use this command:
$ sudo echo “<h1>This is a test Apache Virtual Host</h1>” > /var/www/yoursite.com/index.htmlAfter that, create a virtual host file with the following command:
$ sudo nano /etc/httpd/conf.d/yoursite.comFor the configuration itself, use this template:
<VirtualHost *:443>
ServerName yoursite.com
ServerAlias www.yoursite.com
DocumentRoot /var/www/yoursite.com/
<Directory /var/www/yoursite.com/>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/www.yoursite.com-error.log
CustomLog /var/log/httpd/www.yoursite.com-access.log combined
</VirtualHost>Save with “Ctrl+O”. And then exit with “Ctrl+X”.
When that’s done, change the permission settings for the configuration file with this command:
$ sudo chown -R apache:apache /var/www/yoursite.comThe last thing to do is to restart the Apache device. Use this command:
$ sudo systemctl restart httpdGet the “Let’s Encrypt” Certificate
The next step is obtaining the certificate for your domain.
Since we’re using ‘certbot’, it automates a lot of the process of getting the certificate. To install a single domain certificate, use the command below:
$ sudo certbot --apache -d yoursite.comAnother way to use this command is to add several parameters as domains or subdomains after the first domain. This ensures that the first domain is the base domain. You will need to add the -d flag with every parameter.
The command looks like this:
$ sudo certbot --apache -d yoursite.com -d www.yoursite.comIf you decide not to use any parameter, then ‘certbot’ will ask you for one depending on your Apache config. The command is as follows:
$ sudo certbot --apacheYou will be taken through an installation process. Complete each step to finish installing the certificates.
If you correctly followed the steps and installed the certificates, you will be congratulated with a message like this:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yoursite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yoursite.com/privkey.pem
Your cert will expire on yyyy-mm-dd. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leYou can find the certificates in the “/etc/letsencrypt/live directory”.
Test Your Certificate and Setup
There are a few ways you can test this. One way is to visit your domain on a web browser.
1. Open a browser and visit your domain.
2. Notice the URL. You should see a lock icon. Click on it.
3. Go to Connection is Secure > Certificate is Valid (This is if you’re using Google Chrome. Other browsers may have a different path).
You can find all the details, such as the name of the organization the certificate was issued by, the validity period, and fingerprints.
Another way is to test the certificate on ‘Qualys’. You can do so by opening this URL on a web browser and entering your domain.
If all goes well, you should get an ‘A’ grade on the test. But if you didn’t get the expected score, see how you can improve it. And if it’s because you failed to install the certificate, go back and cross-check the steps.
Auto Renew the Certificate
”Let’s Encrypt” certificate validity lasts for 90 days. But you can renew them for free. Even better, you can automate this renewal process, thanks to ‘certbot’. For this, you need to run the below command:
$ sudo certbot renew --dry-runThe ‘renew’ command will check if the validity of your certificates is less than 30 days or not try to renew them.
The ‘–dry-run’ option allows you to create a simulation of the command.
After running the command, you should receive a message like this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/yoursite.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for yoursite.com
http-01 challenge for www.yoursite.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/yoursite.com/fullchain.pem (success)
…You can also use ‘cron’ to set auto-renewal. If you choose the ‘cron’ method, then the recommended usage is twice per day.
And then, you have to append the following script to the crontab file:
$ echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/nullFinal Thoughts
This article shows you how to secure Apache with a “Let’s Encrypt” SSL certificate on a CentOS 8. We’ve covered the prerequisites so that you’re ready to begin the process by yourself. We’ve also shown you each command and the output.
Of course, it’s not an easy task, but if you follow this tutorial properly, you can get your domain name certified in no time. If you still face any problems, let us know in the comments below.
If this guide helped you, please share it.
