CentOS 7: How to Configure Apache with Let’s Encrypt Free SSL
SSL enabled website allow user to transfer data (post/get) submission securely. Whenever there is POST or GET event happening on your web browser, non-ssl enabled website might your data captured via network traffic or packet dump.
Let’s Encrypt offer free SSL certificate up to 3 months, every 3 months you need to renew the certs otherwise browser will prompt as insecure SSL certificated. Below is the commonly seen non secure / self generate SSL error when accessing to a website.
We will show you how to install and configure Let’s Encrypt SSL certificate with Apache Webserver on Centos 7.x service.
Step 1: Create Virtual Host File
Create a virtual host file that host your domain name as below (replace noreplied.com with your domain name) in /etc/httpd/conf.d/vhost-noreplied.com.conf
NameVirtualHost *:80 <VirtualHost *:80> ServerName noreplied.com ServerAlias www.noreplied.com DocumentRoot /www/vhosts/noreplied.com/www CustomLog /www/vhosts/noreplied.com/logs/access_log combined ErrorLog /www/vhosts/noreplied.com/logs/error_log <Directory "/www/vhosts/noreplied.com/www"> Options -Includes -ExecCGI AllowOverride All </Directory> </VirtualHost>
Restart apache services in order for the new virtual host to be loaded
$ sudo systemctl restart httpd
Step 2: Install External Repo & Package
Before proceed with Let’s Encrypt installation, there are external repo and packages need to be enabled.
First, install epel-release on your machine
$ sudo yum install epel-release
Second, we required git to clone Let’s Encrypt into your server, proceed to install git
$ sudo yum install git
We are good to roll on Let’s Encrypt Installation
Step 3: Let’s Encrypt Installation
We practice to install package in “/opt” folder, you may git clone Let’s Encrypt in the folder you are comfortable with. Proceed with Let’s Encrypt cloning into your server
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Doing a file list you should see all the files in /opt/letsencrypt
Step 4: Create SSL Certs
Next, we will issue command to generate the SSL certs with Let’s Encrypt. First, make sure you are in /opt/letsencrypt folder
$ cd /opt/letsencrypt
Below command will generate the cert for domain noreplied.com and www.noreplied.com, please replace with your own domain name. We redirect user who access noreplied.com to www.noreplied.com, hene we will be using the same cert for both the domain and sub-domain.
$ ./letsencrypt-auto --apache -d noreplied.com -d www.noreplied.com
Once command has been issued, the script will install dependencies scripts required by Let’s Encrypt, don’t worry about it, let it run.
Installing dependency files
Please make sure you key in correct email address, it will use as future reference
Accept the terms and condition, appreciate what Let’s Encrypt offer and don’t abuse it.
Select “Secure” it will generate redirect rules from http to https
Congratulation, your certs has been installed. Please take note that it will expire after 3 months from the day you generate.
IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to [email protected] - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/noreplied.com/fullchain.pem. Your cert will expire on 2016-06-19. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal.
Just in case you are not aware, there are new vhost geneate in /etc/httpd/conf.d/vhost-noreplied.com-le-ssl.conf, at the same time redirect rules enabled on the original virtualhost file.
Let’s Encrypt has restarted the apache service for the new config file to take place. It’s all done.
Step 5: Renew Cert Every 3 months
The certs will be expired in 3 months time, it’s recommend to run the renew command 2-3 weeks before it’s expired.
Here is the command to trigger renewal process
$ cd /opt/letsencrypt $ ./letsencrypt-auto renew