Installing Let’s Encrypt SSL Certificate on CentOS7
In this tutorial I will show you how to install Let’s Encrypt SSL certificate on CentOS7, The server will be running Apache as webserver. The Let’s Encrypt provides trusted certificate for 3 months (90 days), so we will also see how to automate the renewal process.
- CentOS7 Server with Apache as webserver
- One domain name configured for A record in Public DNS
In this tutorial, we will install a Let’s Encrypt certificate for the domain techhobo.net, but you should change it with your own domain while deploying in your environment
Step 1 — Installing the Required Packages
We will start with enabling the EPEL repository on CentOS7 server, which provides additional packages for CentOS. Because it is fresh Centos7 server, then we will install Apache web server with mod_ssl module to correctly serve encrypted traffic.
Finally we will install the certbot package, which is Let’s Encrypt client and used to generate the SSL certificate.
Command to enable the EPEL repository:
sudo yum install epel-release
Install Apache webserver with mod_ssl :
sudo yum install httpd mod_ssl
Finally Let’s Encrypt certbot client:
sudo yum install python-certbot-apache
If no error occur, you now have all the required packages to secure your site.
Step 2 — Configuring Apache
First test that Apache webserver is running on server and is accessible, because the default configuration of Centos firewall restrict Apache and port 80 to accessible.
Verify that Apache service is running, It should say active.
systemctl status httpd
If Apache is not running, you can use below command to start the webserver:
sudo systemctl start httpd
Now, open the port 80 and 443 in firewalld firewall of Centos7 by typing:
sudo firewall-cmd --add-service=http sudo firewall-cmd --add-service=https sudo firewall-cmd --runtime-to-permanent
Now check that your site is reachable using curl or by entering the site name in web browser:
curl techhobo.net https://techhobo.net
This should verify that the required ports are open.
Step 3 — Requesting Let’s encrypt SSL Certificate
Now let’s run the certbot client to request the Let’s Encrypt certificate for our domain.
Using the certbot Let’s Encrypt client for apache is very straightforward. The certbot client will automatically obtain and install a new SSL certificate.
The generated certificate can have entries for multiple domains or subdomains, we can pass additional parameters from command. The first domain name is the base domain used by Let’s Encrypt to create the certificate, followed by any additional subdomains:
sudo certbot --apache -d techhobo.net -d www.techhobo.net
For this example, the base domain will be techhobo.net.
To obtain a certificate that covers only a single domain, run the certbot command with:
sudo certbot --apache -d techhobo.net
When the installation is successfully finished, you should see a Congratulations message.
The certbot utility can also be run in interactive mode using below command, in which certbot wizard prompt for domain information in live interactive mode.
sudo certbot --apache
The generated certificate files are placed within /etc/letsencrypt/live subdirectory.
Step 4 — Checking your Certificate Status
You can verify the status of your SSL certificate with the following link (enter your domain).
It will show certificate information like Start and Expiry date and certificate rating etc.
You should now be able to access your website using a https prefix in web browser.
Step 5 — Automating the certificate Renewal Process
Create a cron job that will periodically execute the automatic renewal command (sudo certbot renew).
To edit the crontab, run:
sudo crontab -e
Include the following content, all in one line:
crontab . . . 30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
Save and exit. The new cron job will execute the certbot renew command every day at 2:30 am.