How to Secure Apache with Let’s Encrypt on CentOS 7
Web Design & IT Services in Swanage, Poole, Bournemouth and Dorset by Matthew Pond
Tags
A huge thank you to Digital Ocean for their tutorials, everything below has been taken from them, only just scaled back to the bare minimum to get the job done. If you want to go through their full article on setting up Let’s Encypt you can click here.
Introduction
Let’s Encrypt is a Certificate Authority (CA) that effectively provide free SSL certificates for your servers and websites.
Step 1 — Installing Certbot
To obtain an SSL certificate, you first need to install Certbot and mod_ssl
, an Apache module that provides support for SSL v3 encryption.
To add the CentOS 7 EPEL repository, run the following command:
sudo yum install epel-release
Then install all of the required packages:
sudo yum install certbot python2-certbot-apache mod_ssl
Step 2 — Obtaining a Certificate
Now that Certbot is installed, you can use it to request an SSL certificate for your domain.
To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot
command with:
sudo certbot --apache -d example.com
This runs certbot
with the --apache
plugin and specifies the domain to configure the certificate for with the -d
flag.
You can setup multiple domains and sub-domains at the same time by passing each domain through, separated by -d
flag. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate. Example:
sudo certbot --apache -d example.com -d www.example.com
The generated certificate files will be available within a subdirectory named after your base domain in the /etc/letsencrypt/live
directory.
Step 3 — Checking your Certificate Status
Try reloading your website using https://
and notice your browser’s security indicator. It will now indicate that the site is properly secured, usually with a green lock icon.
Step 4 — Setting Up Auto Renewal
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error.
By using the --dry-run
option, you can run a simulation of this task to test how renew
works:
sudo certbot renew --dry-run
The official Certbot documentation recommends running cron
twice per day. This will ensure that, in case Let’s Encrypt initiates a certificate revocation, there will be no more than half a day before Certbot renews your certificate.
Edit the crontab
to create a new job that will run the renewal twice per day. To edit the crontab
for the root user, run:
sudo crontab -e
Add in the following line:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
When you’re finished, press ESC
to leave insert mode, then :wq
and ENTER
to save and exit the file. This will create a new cron job that will execute at noon and midnight every day.