How to Secure Apache with Let's Encrypt on CentOS 8

How to Secure Apache with Let’s Encrypt SSL Certificate on CentOS 8

Are you looking for an easy-to-follow tutorial to learn how to secure Apache with “Let’s Encrypt” SSL Certificates on CentOS 8? Then keep on reading.

”Let’s Encrypt” is a free, open, and automated certificate authority (CA) that provides digital certificates to enable secure HTTPS (SSL/TLS) connections to websites. It comes from the nonprofit organization Internet Security Research Group (ISRG).

Securing your web server is crucial to gain the trust of your visitors. With ”Let’s Encrypt”, you can do that for absolutely no cost. There is no renewal fee either.

We will see the whole process of doing it. But before that, you should know about the prerequisites.

Prerequisites to Secure Apache with Let’s Encrypt Certificate

Some requirements before you start following this tutorial:

  • An Apache web server. 

If you don’t have Apache installed, you can install it using the following command:

$ sudo dnf install httpd

You can check if the server is running successfully with this command:

$ sudo systemctl status httpd
  • A registered domain name that you want to secure with an SSL certificate.
  • A static IP address for your server.
  • DNS records for your domain to point to your server’s IP address. Specifically, you will need to set up an ‘A’ record for your domain that points to your server’s IP address.
  • Allow traffic on ports 80 and 443 through your firewall. You can do this by running the following commands:
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reload

How to Secure Apache With “Let’s Encrypt” SSL Certificate

Now you will go through the required steps to secure Apache with “Let’s Encrypt” on your CentOS machine. It may seem daunting at first. But if you follow the instructions and run the commands as shown, it shouldn’t feel that hard.

So then, let’s go through each step.

Install ‘certbot’ and ‘mod_ssl’

‘certbot’ is a free, open-source software tool for obtaining and installing digital certificates from ”Let’s Encrypt”.

‘mod_ssl’ is an optional Apache module. It enables strong cryptography for the web server.

Before you can install ‘certbot’, you need to add the Extra Packages for Enterprise Linux (EPEL) repo to your system using this command:

$ sudo dnf install epel-release

After that, you can install ‘certbot’ now. Install it and other packages with the following command:

$ sudo dnf install certbot python3-certbot-apache mod_ssl

Create an Apache Virtual Host

Since you’re using Apache, you can host multiple domains using a single IP address. But to do that, you will need to create a virtual host first.

Create a directory for storing the necessary files with this command:

$ sudo mkdir /var/www/yoursite.com

You can create a test file and put it here. Use this command:

$ sudo echo “<h1>This is a test Apache Virtual Host</h1>” > /var/www/yoursite.com/index.html

After that, create a virtual host file with the following command:

$ sudo nano /etc/httpd/conf.d/yoursite.com

For the configuration itself, use this template:

<VirtualHost *:443>

  ServerName yoursite.com

  ServerAlias www.yoursite.com

  DocumentRoot /var/www/yoursite.com/

  <Directory /var/www/yoursite.com/>

      Options -Indexes +FollowSymLinks

      AllowOverride All

  </Directory>

  ErrorLog /var/log/httpd/www.yoursite.com-error.log

  CustomLog /var/log/httpd/www.yoursite.com-access.log combined

</VirtualHost>

Save with “Ctrl+O”. And then exit with “Ctrl+X”.

When that’s done, change the permission settings for the configuration file with this command:

$ sudo chown -R apache:apache /var/www/yoursite.com

The last thing to do is to restart the Apache device. Use this command:

$ sudo systemctl restart httpd

Get the “Let’s Encrypt” Certificate

The next step is obtaining the certificate for your domain.

Since we’re using ‘certbot’, it automates a lot of the process of getting the certificate. To install a single domain certificate, use the command below:

$ sudo certbot --apache -d yoursite.com

Another way to use this command is to add several parameters as domains or subdomains after the first domain. This ensures that the first domain is the base domain. You will need to add the -d flag with every parameter.

The command looks like this:

$ sudo certbot --apache -d yoursite.com -d www.yoursite.com

If you decide not to use any parameter, then ‘certbot’ will ask you for one depending on your Apache config. The command is as follows:

$ sudo certbot --apache

You will be taken through an installation process. Complete each step to finish installing the certificates.

If you correctly followed the steps and installed the certificates, you will be congratulated with a message like this:

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/yoursite.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/yoursite.com/privkey.pem

   Your cert will expire on yyyy-mm-dd. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the "certonly" option. To non-interactively renew *all* of

   your certificates, run "certbot renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

You can find the certificates in the “/etc/letsencrypt/live directory”.

Test Your Certificate and Setup

There are a few ways you can test this. One way is to visit your domain on a web browser.

1. Open a browser and visit your domain.

2. Notice the URL. You should see a lock icon. Click on it.

Secure Apache with Let's Encrypt

3. Go to Connection is Secure > Certificate is Valid (This is if you’re using Google Chrome. Other browsers may have a different path).

You can find all the details, such as the name of the organization the certificate was issued by, the validity period, and fingerprints.

Secure Apache with Let’s Encrypt 1

Another way is to test the certificate on ‘Qualys’. You can do so by opening this URL on a web browser and entering your domain.

If all goes well, you should get an ‘A’ grade on the test. But if you didn’t get the expected score, see how you can improve it. And if it’s because you failed to install the certificate, go back and cross-check the steps.

Secure Apache with Let’s Encrypt 2

Auto Renew the Certificate

”Let’s Encrypt” certificate validity lasts for 90 days. But you can renew them for free. Even better, you can automate this renewal process, thanks to ‘certbot’. For this, you need to run the below command:

$ sudo certbot renew --dry-run

The ‘renew’ command will check if the validity of your certificates is less than 30 days or not try to renew them.

The ‘–dry-run’ option allows you to create a simulation of the command. 

After running the command, you should receive a message like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/yoursite.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator apache, Installer apache

Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for yoursite.com

http-01 challenge for www.yoursite.com

Waiting for verification...

Cleaning up challenges

Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

new certificate deployed with reload of apache server; fullchain is

/etc/letsencrypt/live/example.com/fullchain.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

** DRY RUN: simulating 'certbot renew' close to cert expiry

**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:

  /etc/letsencrypt/live/yoursite.com/fullchain.pem (success)

…

You can also use ‘cron’ to set auto-renewal. If you choose the ‘cron’ method, then the recommended usage is twice per day. 

And then, you have to append the following script to the crontab file:

$ echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Final Thoughts

This article shows you how to secure Apache with a “Let’s Encrypt” SSL certificate on a CentOS 8. We’ve covered the prerequisites so that you’re ready to begin the process by yourself. We’ve also shown you each command and the output.

Of course, it’s not an easy task, but if you follow this tutorial properly, you can get your domain name certified in no time. If you still face any problems, let us know in the comments below.

If this guide helped you, please share it.

Leave a Reply
Related Posts