Config Server Firewall

How to Install LetsEncrypt Certificate on CentOS 7

This tutorial explains how to install letsencrypt SSL certificate for Apache web server on CentOS 7. Let's Encrypt is a certificate authority that provides SSL/TLS certificates for free. Let’s Encrypt provides trusted certificate through an automated process, without any cost.

Prerequisites and requirements

To install Let’s Encrypt certificate you need to have shell access to the CentOS system with administrative privileges.

Firewall configuration:  make sure to allow both http and https service from the firewall:

firewall-cmd --permanent --add-service http
firewall-cmd --permanent --add-service https
firewall-cmd --reload

We also assume you already have a virtual host configured for the HTTP (non secure) version of your website:

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    ErrorLog "logs/example.com-error_log"
    CustomLog "logs/example.com-access_log" combined
</VirtualHost>

During the process, a new virtual host configuration for the https site will be created automatically based on the this configuration.

DNS...

To prove the ownership of the website, you must ensure that a DNS entry exists for your website, so it can be reached by its fully qualified domain name (FQDN):

If you can't point your website to the server before installing the certificate, You can use DNS-01 validation method to prove the ownership of the domain name.

How to get a Let’s Encrypt Certificate before DNS is moved (DNS-01 validation)

How to do it...

Perform the following steps to install a letsencrypt certificate for Apache web server on CentOS 7:

  1. Install certbot client.
  2. Install the certificate.
  3. Verify the virtual host file.
  4. Automate the renewal process.

The certbot command-line tool allows us to request new certificates and renew them. Install the certbot client by first enabling the epel repository:

yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install python2-certbot-apache

To install an SSL/TLS certificate for your website run the following command (modify the domain name as appropriate in the command):

certbot --apache -d example.com -d www.example.com

When we first run certbot command, you must provide a valid e-mail address for correspondence about our certificates. Then, you should must agree Terms of Service (Press A on the keyboard and press enter to accept Terms of Service):

(A)gree/(C)ancel: A

As the final step, You will be asked to choose whether or not to redirect HTTP traffic to HTTPS. You should not redirect HTTP traffic to HTTPS at this point. So answer with 1 for No redirect.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

And that is all we need to do to install Let’s Encrypt certificate on CentOS 7.

You will find the virtual host file for the https site under the /etc/httpd/conf.d directory (e.g. example.com-le-ssl.conf):

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    ErrorLog "logs/example.com-error_log"
    CustomLog "logs/example.com-access_log" combined
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
</IfModule>

Automating renewal

Issued certificates are valid for 90 days. You can run certbot renew command to renew all certificates on your CentOS 7 server.

certbot renew

We can set up a cron job (scheduled task) to renew certificates automatically when it's near expiry. For example, create a new file called certbot under the /etc/cron.d directory and add the following on one line:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

This sets the cron job to execute the certbot renew command every 12 hours and will renew all obtained certificates that are near expiry.

Note that your SSL certificate, private key, account credentials and everything else are saved in your Certbot configuration directory at /etc/letsencrypt. Make Sure to keep regular backups of this folder.