// Tutorial //

How To Secure Apache with Let's Encrypt on CentOS 7

Published on January 26, 2016 · Updated on May 23, 2019
Default avatar
How To Secure Apache with Let's Encrypt on CentOS 7
Not using CentOS 7?Choose a different version or distribution.
CentOS 7

Introduction

Let’s Encrypt is a Certificate Authority (CA) that provides free certificates for Transport Layer Security (TLS) encryption, thereby enabling encrypted HTTPS on web servers. It simplifies the process of creation, validation, signing, installation, and renewal of certificates by providing a software client that automates most of the steps—Certbot.

In this tutorial, you will use Certbot to set up a TLS/SSL certificate from Let’s Encrypt on a CentOS 7 server running Apache as a web server. Additionally, you will automate the certificate renewal process using a cron job, which you can learn more about by reading How To Use Cron To Automate Tasks On a VPS.

Prerequisites

In order to complete this guide, you will need:

  • One CentOS 7 server set up by following the CentOS 7 initial server setup guide with a non-root user who has sudo privileges.
  • A basic firewall configured by following the Additional Recommended Steps for New CentOS 7 Servers guide.
  • Apache installed on the CentOS 7 server with a virtual host configured. You can learn how to set this up by following our tutorial How To Install the Apache Web Server on CentOS 7. Be sure that you have a virtual host file for your domain. This tutorial will use /etc/httpd/sites-available/example.com.conf as an example.
  • You should own or control the registered domain name that you wish to use the certificate with. If you do not already have a registered domain name, you may purchase one on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.
  • A DNS A Record that points your domain to the public IP address of your server. You can follow this introduction to DigitalOcean DNS for details on how to add them with the DigitalOcean platform. DNS A records are required because of how Let’s Encrypt validates that you own the domain it is issuing a certificate for. For example, if you want to obtain a certificate for example.com, that domain must resolve to your server for the validation process to work. Our setup will use example.com and www.example.com as the domain names, both of which will require a valid DNS record.

When you have all of these prerequisites completed, move on to install the Let’s Encrypt client software.

Step 1 — Installing the Certbot Let’s Encrypt Client

To use Let’s Encrypt to obtain an SSL certificate, you first need to install Certbot and mod_ssl, an Apache module that provides support for SSL v3 encryption.

The certbot package is not available through the package manager by default. You will need to enable the EPEL repository to install Certbot.

To add the CentOS 7 EPEL repository, run the following command:

  1. sudo yum install epel-release

Now that you have access to the repository, install all of the required packages:

  1. sudo yum install certbot python2-certbot-apache mod_ssl

During the installation process you will be asked about importing a GPG key. This key will verify the authenticity of the package you are installing. To allow the installation to finish, accept the GPG key by typing y and pressing ENTER when prompted to do so.

With these services installed, you’re now ready to run Certbot and fetch your certificates.

Step 2 — Obtaining a Certificate

Now that Certbot is installed, you can use it to request an SSL certificate for your domain.

Using the certbot Let’s Encrypt client to generate the SSL Certificate for Apache automates many of the steps in the process. The client will automatically obtain and install a new SSL certificate that is valid for the domains you provide as parameters.

To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot command with:

  1. sudo certbot --apache -d example.com

This runs certbot with the --apache plugin and specifies the domain to configure the certificate for with the -d flag.

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command, tagging each new domain or subdomain with the -d flag. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate. For this reason, pass the base domain name as first in the list, followed by any additional subdomains or aliases:

  1. sudo certbot --apache -d example.com -d www.example.com

The base domain in this example is example.com.

The certbot utility can also prompt you for domain information during the certificate request procedure. To use this functionality, call certbot without any domains:

  1. sudo certbot --apache

The program will present you with a step-by-step guide to customize your certificate options. It will ask you to provide an email address for lost key recovery and notices, and then prompt you to agree to the terms of service. If you did not specify your domains on the command line, you will be prompted for that as well. If your Virtual Host files do not specify the domain they serve explicitly using the ServerName directive, you will be asked to choose the virtual host file. In most cases, the default ssl.conf file will work.

You will also be able to choose between enabling both http and https access or forcing all requests to redirect to https. For better security, it is recommended to choose the option 2: Redirect if you do not have any special need to allow unencrypted connections. Select your choice then hit ENTER.

Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2

When the installation is successfully finished, you will see a message similar to this:

Output
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2019-08-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

The generated certificate files will be available within a subdirectory named after your base domain in the /etc/letsencrypt/live directory.

Now that your certificates are downloaded, installed, and loaded, you can check your SSL certificate status to make sure that everything is working.

Step 3 — Checking your Certificate Status

At this point, you can ensure that Certbot created your SSL certificate correctly by using the SSL Server Test from the cloud security company Qualys.

Open the following link in your preferred web browser, replacing example.com with your base domain:

https://www.ssllabs.com/ssltest/analyze.html?d=example.com

You will land on a page that immediately begins testing the SSL connection to your server:

SSL Server Test

Once the test starts running, it may take a few minutes to complete. The status of the test will update in your browser.

When the testing finishes, the page will display a letter grade that rates the security and quality of your server’s configuration. At the time of this writing, default settings will give an A rating:

SSL Report - A

For more information about how SSL Labs determines these grades, check out the SSL Labs Grading post detailing the updates made to the grading scheme in January, 2018.

Try reloading your website using https:// and notice your browser’s security indicator. It will now indicate that the site is properly secured, usually with a green lock icon.

With your SSL certificate up and verified, the next step is to set up auto-renewal for your certificate to keep your certificate valid.

Step 4 — Setting Up Auto Renewal

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. Because of this, it is a best practice to automate this process to periodically check and renew the certificate.

First, let’s examine the command that you will use to renew the certificate. The certbot Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. By using the --dry-run option, you can run a simulation of this task to test how renew works:

  1. sudo certbot renew --dry-run

The output should look similar to this:

Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator apache, Installer apache Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for example.com http-01 challenge for www.example.com Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-staging-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/example.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/example.com/fullchain.pem (success) ...

Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal will be valid for all domains included in this certificate.

A practical way to ensure your certificates will not get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day.

The official Certbot documentation recommends running cron twice per day. This will ensure that, in case Let’s Encrypt initiates a certificate revocation, there will be no more than half a day before Certbot renews your certificate.

Edit the crontab to create a new job that will run the renewal twice per day. To edit the crontab for the root user, run:

  1. sudo crontab -e

Your text editor will open the default crontab which is an empty text file at this point. This tutorial will use the vi text editor. To learn more about this text editor and its successor vim, check out our Installing and Using the Vim Text Editor on a Cloud Server tutorial.

Enter insert mode by pressing i and add in the following line:

crontab
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

When you’re finished, press ESC to leave insert mode, then :wq and ENTER to save and exit the file. This will create a new cron job that will execute at noon and midnight every day. Adding an element of randomness to your cron jobs will ensure that hourly jobs do not all happen at the same minute, causing a server spike; python -c 'import random; import time; time.sleep(random.random() * 3600)' will select a random minute within the hour for your renewal tasks.

For more information on how to create and schedule cron jobs, you can check our How to Use Cron to Automate Tasks in a VPS guide. More detailed information about renewal can be found in the Certbot documentation.

Conclusion

In this guide you installed the Let’s Encrypt Certbot client, downloaded SSL certificates for your domain, and set up automatic certificate renewal. If you have any questions about using Certbot, you can check the official Certbot documentation. We also recommend that you check the official Let’s Encrypt blog for important updates from time to time.


Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.

Sign up
About the authors
Default avatar
Developer Advocate

Dev/Ops passionate about open source, PHP, and Linux.


Default avatar
Developer and author at DigitalOcean.

Default avatar
Senior Technical Editor

Editor at DigitalOcean, fiction writer and podcaster elsewhere, always searching for the next good nautical pun!


Still looking for an answer?

Was this helpful?
10 Comments

Let’s Encrypt is Awesome. Digitalocean community support is making developers learn things better. Thanks DO.

I am using Heartbeat and a floating IP. I followed this tutorial and got https working great on my first VM. I use apache httpd on centOS 6 and apache tomcat. What will need to be done to VM2 to ensure if I shutdown VM1, failover will work with https on VM2 (the secondary VM)?

Prior to ever using this tutorial to setup https, failover was tested and working fine. I would shutdown VM1 and VM2 would become the primary VM, then if I brought up VM1, it would resume its role as primary VM.

I used this tutorial for https and this tutorial for heartbeat configuration: https://www.digitalocean.com/community/tutorials/how-to-create-a-high-availability-setup-with-heartbeat-and-floating-ips-on-ubuntu-14-04

Could I run certbox on the 2nd VM or would I need to take config files from VM1 and scp them to VM2? Or something else?

The SSL certificates are valid for 90 days. Please consider changing the documentation to have the cron job run at least once a month, if not every other month, rather than every week. This will avoid unnecessary requests to the letsencrypt.org service. This goes for the DigitalOcean Support documentation as well.

Lastly, while this Community document correctly shows that the domain-specific logfile directory must exist, the DigitalOcean Support document fails to mention this. This prevents the apache server from starting if the various VirtualHost files have a separate ErrorLog line.

Fantastic job, Erika! My site is up and running with HTTPS.

One thing people may want to know: if you accidentally enable both http and https when you run letsencrypt-auto, you can redirect any http requests to https by adding the following to httpd.conf:

NameVirtualHost *:80 <VirtualHost *:80> Redirect permanent / https://mysite.example.com/ </VirtualHost>

(Thanks to Stack Overflow for that one: http://stackoverflow.com/questions/16200501/http-to-https-apache-redirection)

hi there, I have followed this tutorial for setting my droplet with following domain (and subdomains):

now, my ssl works for https://snubenci.kalna.ch and https://dokostola.kalna.ch, but not for https://kalna.ch and https://www.kalna.ch

what am I doing wrong?

thanks and best regards Dalibor

Hi, thanks for the great tutorial. I wanted to set it up for a subdomain where my subdomain is hosted in a different VPS. When I tried to install the certificate, it showed the following error message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub.mydomain.com
http-01 challenge for www.sub.mydomain.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

Can you please tell me how can I verify my domain which is hosted in another server than the subdomain server? Many thanks!

Will the cron job for renewing work for multiple SSL Certificates? I have two sites on one droplet. One is a wildcard domain.

Please I have a problem. Up to step 3, I could access apache with https. But after completing step 4, I cant access with https. connection insecured

If I am already using self signed certification then there should be something to undo that first else it is not working. My site is showing old self signed certificate only.

Thanks for the tutorial.

I followed it but I got: “This server’s certificate is not trusted” I got a T rating from SSL Labs with the following errors:

  • ItemAlternative names - INVALID
  • Certificate Transparency No
  • DNS CAA No
  • Trusted . No . Not Trusted