Introduction
In this tutorial, you will learn the procedure for installing the TLS/SSL certificate on the Apache web server. When finished, all traffic between server and client will be encrypted. This is a standard practice of protecting e-commerce sites and other financial services online. Let's Encrypt is the pioneer in implementing free SSL and will be used as the certificate provider in this case.
Prerequisites
Before you begin this guide, you will need the following:
- SSH root access to a CentOS 7 VPS
- Apache web server with domain and vhost configured correctly
- A non-root sudo user
Installing dependent modules
To install certbot you will have to install the EPEL repository as it is not available by default, mod_ssl
is also required for encryption to be recognized by Apache:
sudo yum install -y epel-release mod_ssl
Downloading the Let's Encrypt client
Next, you will install the certbot client from the EPEL repository:
sudo yum install python-certbot-apache
Obtain and configure the SSL certificate
Certbot will handle SSL certificate management quite easily. It will generate a new certificate for the provided domain as a parameter.
In this case, example.com
will be used as the domain to which the certificate will be issued:
sudo certbot --apache -d example.com
If you want to generate SSL for multiple domains or sub-domains, use the following command:
sudo certbot --apache -d example.com -d www.example.com
Note: The first domain should be your base domain, in this example: example.com
.
When you install the certificate, you will receive a step-by-step guide that will allow you to customize the certificate details. You will be able to choose between forcing HTTPS
or leaving HTTP
as the default protocol. Providing an email address will be required as well, for security reasons.
When the installation is complete, you will receive a similar message:
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
emails sent to user@example.com.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2019-04-21. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at / etc / letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also have certificates and private keys obtained by Let's
Encrypt so regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:
Configuring automatic certificate renewal
Let's encrypt certificates are valid for 90 days. It is recommended to renew it within 60 days, in order to avoid any problems. To achieve this, certbot will assist us with your renewal command. It will verify that the certificate is less than 30 days from expiration:
sudo certbot renew
If the installed certificate is recent, certbot will only verify its expiration date:
Processing /etc/letsencrypt/renewal/example.com.conf
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.
To automate this renewal process, you can set up a cronjob. First, open the crontab:
sudo crontab -e
This work can be safely scheduled to run every Monday at midnight:
0 0 * * 1 / usr / bin / certbot renew >> /var/log/sslrenew.log
The output of the script will be piped to the /var/log/sslrenew.log
file.
Conclusion
You just secured your Apache web server by implementing a free SSL certificate. From now on all traffic between server and client is encrypted.