How to Secure Apache with Let’s Encrypt on CentOS 7
A huge thank you to Digital Ocean for their tutorials, everything below has been taken from them, only just scaled back to the bare minimum to get the job done. If you want to go through their full article on setting up Let’s Encypt you can click here.
Let’s Encrypt is a Certificate Authority (CA) that effectively provide free SSL certificates for your servers and websites.
Step 1 — Installing Certbot
To obtain an SSL certificate, you first need to install Certbot and
mod_ssl, an Apache module that provides support for SSL v3 encryption.
To add the CentOS 7 EPEL repository, run the following command:
sudo yum install epel-release
Then install all of the required packages:
sudo yum install certbot python2-certbot-apache mod_ssl
Step 2 — Obtaining a Certificate
Now that Certbot is installed, you can use it to request an SSL certificate for your domain.
To execute the interactive installation and obtain a certificate that covers only a single domain, run the
certbot command with:
sudo certbot --apache -d example.com
certbot with the
--apache plugin and specifies the domain to configure the certificate for with the
You can setup multiple domains and sub-domains at the same time by passing each domain through, separated by
-d flag. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate. Example:
sudo certbot --apache -d example.com -d www.example.com
The generated certificate files will be available within a subdirectory named after your base domain in the
Step 3 — Checking your Certificate Status
Try reloading your website using
https:// and notice your browser’s security indicator. It will now indicate that the site is properly secured, usually with a green lock icon.
Step 4 — Setting Up Auto Renewal
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error.
By using the
--dry-run option, you can run a simulation of this task to test how
sudo certbot renew --dry-run
The official Certbot documentation recommends running
cron twice per day. This will ensure that, in case Let’s Encrypt initiates a certificate revocation, there will be no more than half a day before Certbot renews your certificate.
crontab to create a new job that will run the renewal twice per day. To edit the
crontabfor the root user, run:
sudo crontab -e
Add in the following line:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
When you’re finished, press
ESC to leave insert mode, then
ENTER to save and exit the file. This will create a new cron job that will execute at noon and midnight every day.