Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
Let’s Encrypt provides free, automatic and secure certificates. The website owners can easily obtain security certificates within minutes, enabling a safer web experience for all.
Update the System
# yum -y update
Install dependent modules
# yum install -y epel-release mod_ssl
You will also need to have Apache installed and running.
Install Let’s Encrypt Client
# yum install certbot python2-certbot-apache
Obtaining a Certificate
Certbot will handle SSL certificate management quite easily. It will generate a new certificate for the provided domain as a parameter.
For instance, we will use testdomain.com to which SSL certificate will be installed:
# certbot --apache -d testdomain.com
To generate SSL for multiple Domains and Sub domains, use below command
# certbot --apache -d testdomain.com -d www.testdomain.com
certbot utility can also prompt you for domain information during the certificate request procedure.
The program will present you with a step-by-step guide to customize your certificate options. It will ask you to provide an email address for lost key recovery and notices, and then prompt you to agree to the terms of service. If you did not specify your domains on the command line, you will be prompted for that as well.
You will also be able to choose between enabling both http and https access or forcing all requests to redirect to https.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2
When the installation is complete, you will receive a similar message:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/testdomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/testdomain.com/privkey.pem Your cert will expire on 2019-09-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The generated certificate files will be available within a subdirectory named after your base domain in the /etc/letsencrypt/live directory.
Configuring automatic certificate renewal
Let’s encrypt certificates are valid for 90 days. It is recommended to renew it within 60 days, in order to avoid any problems. To achieve this, certbot will assist us with your renewal command. It will verify that the certificate is less than 30 days from expiration:
# certbot renew
If the installed certificate is recent, certbot will only verify its expiration date:
Processing /etc/letsencrypt/renewal/testdomain.com.conf The following certs are not due for renewal yet: /etc/letsencrypt/live/testdomain.com/fullchain.pem (skipped) No renewals were attempted.
To automate this renewal process, you can set up a cronjob :
# crontab -e
* */12 * * * /usr/bin/certbot renew >/dev/null 2>&1
Now you should have successfully installed and configured Let’s Encrypt with Apache.