How To Secure Apache with Let’s Encrypt on Rocky Linux 8

In this guide from the Linux Tutorials, we want to teach you How To Secure Apache with Let’s Encrypt on Rocky Linux 8.

Let’s Encrypt is a new Certificate Authority (CA) that offers FREE SSL certificates just as secure as paid certificates. This project was pioneered to make encrypted connections the default standard throughout the Internet.

The ‘Let’s Encrypt’ project is a significant step forward for security and privacy on the Internet.

Key benefits of using a Let’s Encrypt SSL certificate:

  • It’s free – Anyone who owns a domain can obtain a trusted certificate for that domain at zero cost.
  • It’s automatic – The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process. The renewal occurs automatically in the background.
  • It’s simple – There’s no payment, no validation emails, and certificates renew automatically.
  • It’s secure – Let’s Encrypt serves as a platform for implementing modern security techniques and best practices.

How To Secure Apache with Let’s Encrypt on Rocky Linux 8

To secure your Apache webserver with Let’s Encrypt, you need some requirements.

Requirements

First, you need to log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our article the Initial Server Setup with Rocky Linux 8.

Then, you need to have Apache installed on your server. For this, you can check our guide on the orcacore website How To Install an Apache Web server on Rocky Linux 8.

Now follow the steps below to complete this guide.

Install certbot on Rocky Linux 8

First, you need to install the EPEL repository and the mod_ssl package which is a security module for the Apache HTTP server that provides strong cryptography by leveraging SSL/TLS protocols using OpenSSL:

sudo dnf install epel-release mod_ssl

Then, install “certbot” to get an SSL certificate with Let’s Encrypt on Rocky Linux 8 with the command below:

sudo dnf install certbot python3-certbot-apache

Answer “y” to complete the installation.

Now certbot is now installed on your Rocky Linux 8. Let’s get an SSL certificate for your domain name.

How to get an SSL certificate from Let’s Encrypt on Rocky Linux 8

You can get your SSL certificate with Let’s Encrypt by following these steps:

sudo certbot --apache

It will ask you some questions. the first will ask you to enter your email address for renewal notifications and security notices:

Output
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

After entering your email address, press enter to the next step, you will be asked to confirm if you agree to Let’s Encrypt terms of service. press ‘A’ to accept and press enter to continue:

Output
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)agree/(C)cancel : A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

At this point, you will be asked to share your email address with the Electronic Frontier Foundation:

Otput
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)yes/(N)no: N

Press ‘N’ to continue, if you want to receive the information type ‘Y’.

In this step, It is important to set up correctly your virtual hostname at the beginning of the article. select the domains you want to activate HTTPS for.

Output
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: stacku.orcacore.net
2: www.stacku.orcacore.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

you will see your output like this:

Output
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for stacku.orcacore.net
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/stacku.orcacore.net-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/stacku.orcacore.net-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/stacku.orcacore.net-le-ssl.conf

In the next step, you will be asked to choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

Output
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

At this point, the certbot configuration is finished. and you will see this in your output:

Output
Congratulations! You have successfully enabled https://stacku.orcacore.net
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=stacku.orcacore.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/stacku.orcacore.net/fullchain.pem
  Your key file has been saved at:
   /etc/letsencrypt/live/stacku.orcacore.net/privkey.pem
   Your cert will expire on 2021-11-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your certificate with Let’s Encrypt on Rocky Linux 8 is now installed and loaded into Apache’s configuration.

Type your domain name in your web browser, you will see the lock icon is in the address bar.

At this point, you can use the SSL Labs server test to verify your certificate from Let’s Encrypt too. you go to the page and enter your hostname there.

How To set up Auto-Renewal Of the Lets Encrypt Certifications

In this article, we learn How to Secure Apache with Let’s Encrypt on Rocky Linux 8 and configure it. Now, you should know, that Let’s Encrypt certificates are valid for 90 days, but it’s better to renew them every 60 days automatically.

sudo certbot renew --dry-run

You will see this in your output:

Output
Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/stacku.orcacore.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry

**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Conclusion

Here you learn about the installing certbot and get the SSL certification from Let’s Encrypt. and renew the certifications.

Hope you enjoy this article about How to Secure Apache with Let’s Encrypt on Rocky Linux 8.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

POPULAR TAGS

Most Popular