Related Articles
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install TLS/SSL certificates for free, enabling encrypted HTTPS on web servers.
Let’s Encrypt simplifies the process by providing a software client, Certbot, that attempts to automate most of the necessary steps. Currently, the whole process of obtaining and installing certificates is fully automated in Apache and Nginx.
We recommend that you test every tutorial or guide available on the Internet on a virtual machine (vmware or Virtualbox) before deploying to a production server, so as not to mess up the operating system when something goes wrong.
precondition
Make sure you meet the following prerequisites before proceeding with this tutorial:
- You have a domain name that points to your public server’s IP address. In this tutorial we will use domains
example.com. - Apache is already installed and running on your server.
- You have an Apache virtual host for your domain.
- Firewall setup with ports 80 and 443 open.
Install the following packages required for the SSL encrypted web server:
yum install mod_ssl openssl
Install Certbot
Certbot is a full-featured, easy-to-use tool that can automate the task of obtaining and renewing Let’s Encrypt SSL Certificates. Certbot will also manage all web server configurations so they can use the certificate directly.
If you do not have EPEL repository installed on your system, run the following command:
sudo yum install epel-release
Once the EPEL repository is enabled, install the certbot package by typing:
sudo yum install certbot
Create a Dh key exchange certificate (Diffie-Hellman)
Diffie-Hellman (DH) key exchange is a method of exchanging secure cryptographic keys over an insecure communication channel. We will create a new 2048-bit DH parameter to enhance security:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
If you are still paranoid, you can change the size up to 4096 bits, but in this case, the release may take more than 30 minutes depending on the processing capabilities of your system.
Obtained Let’s Encrypt SSL certificate
To get the SSL certificate for the domain we will use the Webroot plugin which works by creating a temporary file to validate the required domain in the directory ${webroot-path}/.well-known/acme-challenge.
Let’s Encrypt server makes HTTP requests for temporary files to verify that the requested domain has completed data requests to the server where certbot is running.
To keep it simple, we will set all HTTP requests to .well-known/acme-challengeto a single directory, /var/lib/letsencrypt.
The following command will create a directory and make it writable by the Apache server.
sudo mkdir -p /var/lib/letsencrypt/.well-known sudo chgrp apache /var/lib/letsencrypt sudo chmod g+s /var/lib/letsencrypt
To avoid code duplication, create the following two snippets
sudo nano /etc/httpd/conf.d/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>Save and close the above snippet, then create the following snippet again:
sudo nano /etc/httpd/conf.d/ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires Apache >= 2.4.11 SSLSessionTickets Off
The snippet above uses the recommended cipherli.st chipper, enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and implements some security-focused HTTP headers.
Reload the Apache configuration for the changes to take effect:
sudo systemctl reload httpd
Now you can run Certbot using the webroot plugin and get the SSL certificate file by typing the command:
sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
If the SSL certificate was obtained successfully, certbot will print the following message:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-12-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The default version of Apache on CentOS 7 is version 2.4.6 which has no directive SSLOpenSSLConfCmd. This directive is only available in Apache 2.4.8 and is used for OpenSSL configuration parameters such as Diffie-Hellman (DH) key exchange.
We’ll create a new merge file using the Let’s Encrypt SSL certificate and the DH file we created earlier. To do this, type:
cat /etc/letsencrypt/live/example.com/cert.pem /etc/ssl/certs/dhparam.pem >/etc/letsencrypt/live/example.com/cert.dh.pem
Now that everything is set up, edit the virtual host configuration for your domain as follows:
sudo nano /etc/httpd/conf.d/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
DocumentRoot /var/www/example.com/public_html
ErrorLog /var/log/httpd/example.com-error.log
CustomLog /var/log/httpd/example.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.dh.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
# Other Apache Configuration
</VirtualHost>
With the above configuration we force to always use connect https and redirect from version www to issue change www. Feel free to modify the above configuration according to your needs.
Restart the Apache service after completing the above virtual host setup:
sudo systemctl restart httpd
You can now open your website with https:// And you will see a green icon.
If you test your domain with SSL Labs Server Test, you will get an A+ score as shown below:
How to auto-renew Let’s encrypt SSL certificates
Let’s Encrypt certificates are valid for 90 days. To automatically renew certificates before they expire, the certbot package creates a cronjob that runs twice a day and will automatically renew any certificate within 30 days before the certificate expires.
Run command crontab To create a new cronjob:
sudo crontab -e
Copy and paste the following line:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"
Save and close the file.
To test the update process, you can use the certbot command followed by a statement --dry-run :
sudo certbot renew --dry-run
If there are no errors, the test update was successful.
conclusion
In this tutorial, you can use the Let’s Encrypt client, certbot, to download an SSL certificate for your domain.
I also created Apache snippets to avoid code duplication and configured the Apache web server to use certificates.
At the end of the tutorial, I set up a cronjob to automatically renew the certificate.