CentOS 7: How to Configure Apache with Let’s Encrypt Free SSL

SSL enabled website allow user to transfer data (post/get) submission securely. Whenever there is POST or GET event happening on your web browser, non-ssl enabled website might your data captured via network traffic or packet dump.

Let’s Encrypt offer free SSL certificate up to 3 months, every 3 months you need to renew the certs otherwise browser will prompt as insecure SSL certificated. Below is the commonly seen non secure / self generate SSL error when accessing to a website.

letsencrypt-ssl-01

We will show you how to install and configure Let’s Encrypt SSL certificate with Apache Webserver on Centos 7.x service.

Step 1: Create Virtual Host File

Create a virtual host file that host your domain name as below (replace noreplied.com with your domain name) in /etc/httpd/conf.d/vhost-noreplied.com.conf

NameVirtualHost *:80
<VirtualHost *:80>
        ServerName   noreplied.com
        ServerAlias  www.noreplied.com

        DocumentRoot /www/vhosts/noreplied.com/www
        CustomLog  /www/vhosts/noreplied.com/logs/access_log combined
        ErrorLog  /www/vhosts/noreplied.com/logs/error_log

        <Directory "/www/vhosts/noreplied.com/www">
                Options -Includes -ExecCGI
                AllowOverride All
        </Directory>
</VirtualHost>

Restart apache services in order for the new virtual host to be loaded

$ sudo systemctl restart httpd

Step 2: Install External Repo & Package

Before proceed with Let’s Encrypt installation, there are external repo and packages need to be enabled.

First, install epel-release on your machine

$ sudo yum install epel-release

Second, we required git to clone Let’s Encrypt into your server, proceed to install git

$ sudo yum install git

We are good to roll on Let’s Encrypt Installation

Step 3: Let’s Encrypt Installation

We practice to install package in “/opt” folder, you may git clone Let’s Encrypt in the folder you are comfortable with. Proceed with Let’s Encrypt cloning into your server

$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Doing a file list you should see all the files in /opt/letsencrypt

letsencrypt-ssl-installed-files

Step 4: Create SSL Certs

Next, we will issue command to generate the SSL certs with Let’s Encrypt. First, make sure you are in /opt/letsencrypt folder

$ cd /opt/letsencrypt

Below command will generate the cert for domain noreplied.com and www.noreplied.com,  please replace with your own domain name. We redirect user who access noreplied.com to www.noreplied.com, hene we will be using the same cert for both the domain and sub-domain.

$ ./letsencrypt-auto --apache -d noreplied.com -d www.noreplied.com

Once command has been issued, the script will install dependencies scripts required by Let’s Encrypt, don’t worry about it, let it run.

letsencrypt-ssl-installed-dependency

Installing dependency files

 letsencrypt-ssl-email-address

Please make sure you key in correct email address, it will use as future reference

letsencrypt-ssl-accept-agreements

Accept the terms and condition, appreciate what Let’s Encrypt offer and don’t abuse it.

letsencrypt-ssl-redirect-https

Select “Secure” it will generate redirect rules from http to https

letsencrypt-ssl-success-message

Done!

Congratulation, your certs has been installed. Please take note that it will expire after 3 months from the day you generate.

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to [email protected]
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/noreplied.com/fullchain.pem. Your cert will
   expire on 2016-06-19. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.

Just in case you are not aware, there are new vhost geneate in /etc/httpd/conf.d/vhost-noreplied.com-le-ssl.conf, at the same time redirect rules enabled on the original virtualhost file.

Let’s Encrypt has restarted the apache service for the new config file to take place. It’s all done.

Step 5: Renew Cert Every 3 months

The certs will be expired in 3 months time, it’s recommend to run the renew command 2-3 weeks before it’s expired.

Here is the command to trigger renewal process

$ cd /opt/letsencrypt 
$ ./letsencrypt-auto renew

Now everyone can enable SSL for their website 😉 Thanks to Let’s Encrypt. Please do Donate to them

Tags: