Installing Let’s Encrypt SSL Certificate on CentOS7

Installing Let’s Encrypt SSL Certificate on CentOS7

In this tutorial I will show you how to install Let’s Encrypt SSL certificate on CentOS7, The server will be running Apache as webserver. The Let’s Encrypt provides trusted certificate for 3 months (90 days), so we will also see how to automate the renewal process.

Requirements:

  • CentOS7 Server with Apache as webserver
  • One domain name configured for A record in Public DNS

In this tutorial, we will install a Let’s Encrypt certificate for the domain techhobo.net, but you should change it with your own domain while deploying in your environment

Step 1 — Installing the Required Packages

We will start with enabling the EPEL repository on CentOS7 server, which provides additional packages for CentOS. Because it is fresh Centos7 server, then we will install Apache web server with mod_ssl module to correctly serve encrypted traffic.

Finally we will install the certbot package, which is Let’s Encrypt client and used to generate the SSL certificate.

Command to enable the EPEL repository:

sudo yum install epel-release

Install Apache webserver with mod_ssl :

sudo yum install httpd mod_ssl

Finally Let’s Encrypt certbot client:

sudo yum install python-certbot-apache

If no error occur, you now have all the required packages to secure your site.

 

Step 2 — Configuring Apache

First test that Apache webserver is running on server and is accessible, because the default configuration of Centos firewall restrict Apache and port 80 to accessible.

Verify that Apache service is running, It should say active.

systemctl status httpd

If Apache is not running, you can use below command to start the webserver:

sudo systemctl start httpd

Now, open the port 80 and 443 in firewalld firewall of Centos7 by typing:

sudo firewall-cmd --add-service=http

sudo firewall-cmd --add-service=https

sudo firewall-cmd --runtime-to-permanent

Now check that your site is reachable using curl or by entering the site name in web browser:

curl techhobo.net

https://techhobo.net

This should verify that the required ports are open.

 

Step 3 — Requesting Let’s encrypt SSL Certificate

Now let’s run the certbot client to request the Let’s Encrypt certificate for our domain.

Using the certbot Let’s Encrypt client for apache is very straightforward. The certbot client will automatically obtain and install a new SSL certificate.

The generated certificate can have entries for multiple domains or subdomains, we can pass additional parameters from command. The first domain name is the base domain used by Let’s Encrypt to create the certificate, followed by any additional subdomains:

sudo certbot --apache -d techhobo.net -d www.techhobo.net

For this example, the base domain will be techhobo.net.

To obtain a certificate that covers only a single domain, run the certbot command with:

sudo certbot --apache -d techhobo.net

When the installation is successfully finished, you should see a Congratulations message.

The certbot utility can also be run in interactive mode using below command, in which certbot wizard prompt for domain information in live interactive mode.

sudo certbot --apache

The generated certificate files are placed within /etc/letsencrypt/live subdirectory.

 

Step 4 — Checking your Certificate Status

You can verify the status of your SSL certificate with the following link (enter your domain).

https://www.sslshopper.com/ssl-checker.html

It will show certificate information like Start and Expiry date and certificate rating etc.

You should now be able to access your website using a https prefix in web browser.

https://techhobo.net

 

Step 5 — Automating the certificate Renewal Process

Create a cron job that will periodically execute the automatic renewal command (sudo certbot renew).

To edit the crontab, run:

sudo crontab -e

Include the following content, all in one line:

crontab

. . .

30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

Save and exit. The new cron job will execute the certbot renew command every day at 2:30 am.

Leave a Reply

Your email address will not be published. Required fields are marked *