For a secured website browsing experience, SSL encryption is essential. Certificate Authority providers like Let’s Encrypt offer SSL certificates to encrypt sensitive information from breaching data to hackers.
In the following tutorial, we will be discussing major steps to use Certbot to set up a TLS/SSL certificate. You will learn to do it from Let’s Encrypt on a CentOS 7 server running Apache as a web server followed by the auto-renewal process.
Prerequisites
- The CentOS server of version 7 with a non-root user having sudo privileges.
- A basic firewall setting.
- Installed Apache on the CentOS 7 server with a configured virtual host. Ensure of having a virtual host file for the website as in this article we will be using /etc/httpd/sites-available/example.com.conf as an example.
- Registered domain name on which users want a SSL certificate. MilesWeb offers domain registration at reliable costs. Get a domain name of your choice and build an online presence.
- DNS “A” record that makes registered domain publicly available. Having the same, will give an IP address to the domain. This DNS “A” record is essential because Let’s Encrypt validates the domain proprietor of the certificate issue.
Once all required elements are available, proceed further to install the Let’s Encrypt client software.
Steps to Install Let’s Encrypt on Apache Cent OS 7
Installing the Certbot Let’s Encrypt Client
First, install Certbot and mod_ssl. The mod_ssl is an Apache module providing SSL v3 encryption support.
There is no certbot package available in the package manager by default. Certbot requires the EPEL repository to be enabled.
Run the following command to add the CentOS 7 EPEL repository:
sudo yum install epel-release
After having access to the repository, install required packages.
sudo yum install certbot python2-certbot-apache mod_ssl
When installing the software, users will be prompted to import a GPG key. Installing this package will verify its authenticity. Upon being prompted, type y and press ENTER to accept the GPG key.
Users are now ready to run Certbot and fetch their certificates after installing these services.
Getting a Certificate
After Certbot installation, use it to request an SSL certificate for the registered domain. By using the certbot Let’s Encrypt client for Apache, many of the steps in the SSL Certificate registrations can be automated. Using the parameters, user provides, the client will obtain and install a new SSL certificate for the domains user specify.
Run certbot with the following commands to perform the interactive installation and obtain a certificate that covers only one domain:
sudo certbot --apache -d example.com
The -d flag command specifies the domain to configure the certificate for when certbot is run with the –apache plugin.
The -d flag can be passed to the command if they want to install a single certificate that applies to multiple domains or subdomains. Let’s Encrypt uses the first domain name in the list of parameters to create the certificate. This is why the base domain name should be the first on the list, followed by any further subdomains or aliases:
sudo certbot --apache -d example.com -d www.example.com
In this example, the base domain is example.com.
While you are requesting a certificate, the certbot utility can ask for domain information as well. You can use this functionality by calling certbot without any domains:
sudo certbot –apache
Using the program, users can customize your certificate options step-by-step. When you agree to the terms of service, they will be asked to provide an email address for lost key recovery and notices. Specify the domain name on the command line. Not doing it will remind users to choose a virtual host file. By default ssl.conf file is the Virtual Host file that will function.
Moreover, users also have to choose between http and HTTPS port or forcing to redirect requests to HTTPS. For advanced security, forced redirection is recommended. Also, this method is feasible if users do not have a special way to allow unencrypted connections. Hit ENTER once preferred choice.
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):2
The message will be displayed after the successful installation.
Output
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-08-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Certificates generated will be available in a subdirectory. The subdirectory users can locate at live directory. For convenience, users can name it after the base domain name.
Till now, SSL certificates are installed, downloaded, and loaded. Cross check the status whether it is working or not.
Checking the Certificate Status
Cross checking the SSL certificate status on domain is essential. Here is a link given below, open it in the web browser with the base domain.
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
Users will navigate to the landing page where they can test SSL connection to the server.
The test process will take some time to complete and update in the browser. After it finishes, there will be a letter grade rating security and quality configurations.
To know more about this grading scheme, search about SSL Labs grading scheme 2018 online. You will get to know grading parameters.
Notice the browser’s security indicator and reload that website using https://. If the green lock icon is visible, users must be assured of the website’s security.
After verification of SSL certificates, the next step is to set up an auto-renewal process to validate certificates automatically after expiration.
Auto Renew the Let’s Encrypt Certificate
As every SSL certificate has its expiration, execute this command so the certificate will auto renew 30 days before its expiration.
sudo certbot renew --dry-run
Final output will be like the:
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Processing /etc/letsencrypt/renewal/example.com.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification…
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
…
You will see only the base domain name in the output if you created a bundled certificate with multiple domains, but the renewal will be valid for all domains included.
By creating a cron job that executes the automatic renewal command periodically, you can ensure that your certificates will not become outdated. It is safe to create a cron job that runs every week or even every day since the renewal checks for the expiration date and only performs the renewal if the certificate is less than 30 days away from expiration.
Use the following command to create a cron job.
sudo crontab -e
Your text editor will open the default crontab which is an empty text file at this point. Paste in the following line, then save and close it:
crontab
. . .
15 3 * /usr/bin/certbot renew –quiet
The string “15 3 *” in this context signifies scheduling the subsequent command to execute daily at 3:15 am, but you are free to select any time that suits your needs.
The renew command associated with Certbot will scrutinize every certificate present on the system and refresh those on the verge of expiring in less than thirty days. Utilizing “–quiet” instructs Certbot to operate silently without producing output or requiring user interaction.
Henceforth, cron will execute this command on a daily basis. All certificates on the system will undergo automatic renewal and reloading when their expiration is thirty days away or less.
So far, readers have gone through installing SSL certificate on CentOS 7 operating system with the Apache web server. Auto renew it and create a cron job to execute the auto renewal command. For further questions, techies at MilesWeb are there to help you out.
