How to configure Apache with Let’s Encrypt on CentOS 7

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install TLS/SSL certificates for free, enabling encrypted HTTPS on web servers.

Let’s Encrypt simplifies the process by providing a software client, Certbot, that attempts to automate most of the necessary steps. Currently, the whole process of obtaining and installing certificates is fully automated in Apache and Nginx.

We recommend that you test every tutorial or guide available on the Internet on a virtual machine (vmware or Virtualbox) before deploying to a production server, so as not to mess up the operating system when something goes wrong.


Make sure you meet the following prerequisites before proceeding with this tutorial:

  • You have a domain name that points to your public server’s IP address. In this tutorial we will use domains
  • Apache is already installed and running on your server.
  • You have an Apache virtual host for your domain.
  • Firewall setup with ports 80 and 443 open.

Install the following packages required for the SSL encrypted web server:

yum install mod_ssl openssl

Install Certbot

Certbot is a full-featured, easy-to-use tool that can automate the task of obtaining and renewing Let’s Encrypt SSL Certificates. Certbot will also manage all web server configurations so they can use the certificate directly.

If you do not have EPEL repository installed on your system, run the following command:

sudo yum install epel-release

Once the EPEL repository is enabled, install the certbot package by typing:

sudo yum install certbot

Create a Dh key exchange certificate (Diffie-Hellman)

Diffie-Hellman (DH) key exchange is a method of exchanging secure cryptographic keys over an insecure communication channel. We will create a new 2048-bit DH parameter to enhance security:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

If you are still paranoid, you can change the size up to 4096 bits, but in this case, the release may take more than 30 minutes depending on the processing capabilities of your system.

See also  Learn to use the Curl command in Terminal

Obtained Let’s Encrypt SSL certificate

To get the SSL certificate for the domain we will use the Webroot plugin which works by creating a temporary file to validate the required domain in the directory ${webroot-path}/.well-known/acme-challenge.

Let’s Encrypt server makes HTTP requests for temporary files to verify that the requested domain has completed data requests to the server where certbot is running.

To keep it simple, we will set all HTTP requests to .well-known/acme-challengeto a single directory, /var/lib/letsencrypt.

The following command will create a directory and make it writable by the Apache server.

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp apache /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

To avoid code duplication, create the following two snippets

sudo nano /etc/httpd/conf.d/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS

Save and close the above snippet, then create the following snippet again:

sudo nano /etc/httpd/conf.d/ssl-params.conf
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

The snippet above uses the recommended chipper, enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and implements some security-focused HTTP headers.

Reload the Apache configuration for the changes to take effect:

sudo systemctl reload httpd

Now you can run Certbot using the webroot plugin and get the SSL certificate file by typing the command:

sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d -d

If the SSL certificate was obtained successfully, certbot will print the following message:

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2018-12-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

The default version of Apache on CentOS 7 is version 2.4.6 which has no directive SSLOpenSSLConfCmd. This directive is only available in Apache 2.4.8 and is used for OpenSSL configuration parameters such as Diffie-Hellman (DH) key exchange.

See also  How to install and configure Skype on CentOS 8

We’ll create a new merge file using the Let’s Encrypt SSL certificate and the DH file we created earlier. To do this, type:

cat /etc/letsencrypt/live/ /etc/ssl/certs/dhparam.pem >/etc/letsencrypt/live/

Now that everything is set up, edit the virtual host configuration for your domain as follows:

sudo nano /etc/httpd/conf.d/
<VirtualHost *:80>

  Redirect permanent /

<VirtualHost *:443>

  <If "%{HTTP_HOST} == ''">
    Redirect permanent /

  DocumentRoot /var/www/
  ErrorLog /var/log/httpd/
  CustomLog /var/log/httpd/ combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/
  SSLCertificateKeyFile /etc/letsencrypt/live/
  SSLCertificateChainFile /etc/letsencrypt/live/

  # Other Apache Configuration


With the above configuration we force to always use connect https and redirect from version www to issue change www. Feel free to modify the above configuration according to your needs.

Restart the Apache service after completing the above virtual host setup:

sudo systemctl restart httpd

You can now open your website with https:// And you will see a green icon.

If you test your domain with SSL Labs Server Test, you will get an A+ score as shown below:

ssllabs test

How to auto-renew Let’s encrypt SSL certificates

Let’s Encrypt certificates are valid for 90 days. To automatically renew certificates before they expire, the certbot package creates a cronjob that runs twice a day and will automatically renew any certificate within 30 days before the certificate expires.

Run command crontab To create a new cronjob:

sudo crontab -e

Copy and paste the following line:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"

Save and close the file.

See also  Various ways to download ISO files on Linux systems

To test the update process, you can use the certbot command followed by a statement --dry-run :

sudo certbot renew --dry-run

If there are no errors, the test update was successful.


In this tutorial, you can use the Let’s Encrypt client, certbot, to download an SSL certificate for your domain.

I also created Apache snippets to avoid code duplication and configured the Apache web server to use certificates.

At the end of the tutorial, I set up a cronjob to automatically renew the certificate.

Source link