How to install Let’s Encrypt on CentOS 7 with Apache

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Let’s Encrypt provides free, automatic and secure certificates. The website owners can easily obtain security certificates within minutes, enabling a safer web experience for all.

Update the System

# yum -y update

Install dependent modules

# yum install -y epel-release mod_ssl

You will also need to have Apache installed and running.

Install Let’s Encrypt Client

# yum install certbot python2-certbot-apache 

Obtaining a Certificate

Certbot will handle SSL certificate management quite easily. It will generate a new certificate for the provided domain as a parameter.
For instance, we will use testdomain.com to which SSL certificate will be installed:

# certbot --apache -d testdomain.com 

To generate SSL for multiple Domains and Sub domains, use below command

# certbot --apache -d testdomain.com -d www.testdomain.com 

The certbot utility can also prompt you for domain information during the certificate request procedure.

The program will present you with a step-by-step guide to customize your certificate options. It will ask you to provide an email address for lost key recovery and notices, and then prompt you to agree to the terms of service. If you did not specify your domains on the command line, you will be prompted for that as well.

You will also be able to choose between enabling both http and https access or forcing all requests to redirect to https.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2

When the installation is complete, you will receive a similar message:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/testdomain.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/testdomain.com/privkey.pem
  Your cert will expire on 2019-09-23. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the "certonly" option. To non-interactively renew all of
  your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le 

The generated certificate files will be available within a subdirectory named after your base domain in the /etc/letsencrypt/live directory.

Configuring automatic certificate renewal

Let’s encrypt certificates are valid for 90 days. It is recommended to renew it within 60 days, in order to avoid any problems. To achieve this, certbot will assist us with your renewal command. It will verify that the certificate is less than 30 days from expiration:

# certbot renew

If the installed certificate is recent, certbot will only verify its expiration date:

Processing  /etc/letsencrypt/renewal/testdomain.com.conf
The following certs are not due for renewal yet:
    /etc/letsencrypt/live/testdomain.com/fullchain.pem (skipped)
No renewals were attempted.

To automate this renewal process, you can set up a cronjob :

# crontab -e
* */12 * * * /usr/bin/certbot renew >/dev/null 2>&1

Now you should have successfully installed and configured Let’s Encrypt with Apache.

Leave a Reply

Your email address will not be published. Required fields are marked *