In this article, we want to teach you How to secure Apache with Let’s Encrypt on CentOS 7. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the ISRG which stands for (Internet Security Research Group).
How to Secure Apache with Let’s Encrypt on CentOS 7
Before starting to secure Apache with Let’s Encrypt you need to log in as a non-root user with root privileges. to do this follow our article about the Initial server setup with CentOS 7.
Also, You need a basic firewall configuration and install the Apache webserver. Follow our article about How to install Apache on Centos 7. and you need to set up Apache virtual host, for doing this you can check out our article about How to set up Apache virtual host on centos 7.
When you are done with these requirements you can start to install the Let’s Encrypt client software.
Install the Certbot Let’s Encrypt Client on Centos 7
To install the certbot Let’s Encrypt you need to enable Epel-repository because it isn’t available by default. on Centos 7 you can add Epel-repository with the following command:
sudo yum install epel-release
After you add Epel-repository you are ready to install the certbot with the following command:
sudo yum install certbot python2-certbot-apache mod_ssl
when you enter the above command during the installation you will be asked to accept the GPG key or not, accept it by typing “y” then press Enter to continue.
Here you are finished installing the certbot Let’s Encrypt client. Now you are ready to run certbot and fetch certificates.
How to get an SSL Certificate From Let’s Encrypt
At this point, you can use the certbot to request an SSL certificate for your domain.
If you want to get a certificate that covers a single domain run the following command:
sudo certbot --apache -d stack.orcacore.netNote: instead of stack.orcacore.net put your domain name.
If you want to install a single certificate that is valid for multiple domains or subdomains you can use the following command:
sudo certbot --apache -d stack.orcacore.net -d www.stack.orcacore.net
Customize SSL Certificate Options on Centos 7
To customize the certificate options run certbot without any domains:
sudo certbot --apache
You will be asked some questions and answer them to continue. when your installation finish successfully you will see a message in your output like this:
Output: Congratulations! You have successfully enabled https://stack.orcacore.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Subscribe to the EFF mailing list (email: [email protected]). Starting new HTTPS connection (1): supporters.eff.org IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/stack.orcacore.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/stack.orcacore.net/privkey.pem Your certificate will expire on 2021-11-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now you can check your SSL certificate status to make sure that everything is working.
How to check SSL status on Apache with Let’s Encrypt
Copy the following link with your domain to begin the SSL test connection to your server:
https://www.ssllabs.com/ssltest/analyze.html?d=stack.orcacore.netNote: This will be taking a little time to complete.
You will see this page if you do the steps correctly.
How To set up Auto-Renewal Of the Lets Encrypt Certifications
Ok! in this article we learn How to Secure Apache with Let’s Encrypt on CentOS 7 and configure it. Now, you should know, that Let’s Encrypt certificates are valid for 90 days, but it’s better to renew them every 60 days automatically.
For doing this, run the following command:
sudo certbot renew --dry-run
Your output should like similar to this:
Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/stack.orcacore.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Account registered.
Simulating renewal of an existing certificate for stack.orcacore.net
Performing the following challenges:
http-01 challenge for stack.orcacore.net
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/stack.orcacore.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/stack.orcacore.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -At this point, you are done with renewing certifications.
Conclusion of How to Secure Apache with Let’s Encrypt on CentOS 7
In this article, you learn what Lets Encrypt is and you can easily Install Apache and Set up its virtual host on Centos 7 by following the articles that we mentioned in the article. After these, you can Secure your Apache server with Let’s Encrypt on Centos 7.
Hope you enjoy it.