Introduction

In this tutorial, we’ll show you how to setup a free TLS/SSL certificate for your website on a CentOS 7 Linux server running Apache web server software.  Let’s Encrypt provides an easy way to obtain and install trusted certificates for free, and this process can be completely automated on CentOS 7 with free “certbot” software.  These free certificates are free and are valid for 90 days, and certificates can be automatically renewed, for free.  Let’s Encrypt browser support is great — the following browsers are supported, which covers the majority of the current browser market share, worldwide:

  • Google Chrome
  • Safari >= v4.0 on macOS
  • Safari >= v3.1 on iOS
  • Mozilla Firefox >= v2.0
  • Microsoft Edge
  • others

Benefits of a TLS/SSL Certificate

It’s best practice today to install and configure TLS/SSL certificates on any website, not just those collecting sensitive information.  TLS/SSL website certificates may help websites to:

  • provide visitors with more confidence while visiting the website
  • improve SEO ranking – Google says TLS/SSL gives websites a small ranking benefit
  • work towards GDPR compliance (a new law about privacy and data protection)
  • secure transfers between the clients’ browsers and the web server

Prerequisites

In order to complete this tutorial, you’ll need:

  • a CentOS 7 server running Apache (install Apache with `yum install httpd` if needed)
  • at least one DNS domain name configured to point to the server using an A record

Step 1 – Installing the Software

First, we need to enable the “epel-release” repository and install the certbot package.  The certbot software allows us to request and renew TLS/SSL certificates from the command line (and from the crontab scheduler, to automate renewal).

$ sudo yum install epel-release
$ sudo yum install httpd mod_ssl python-certbot-apache

Step 2 – Registering with Let’s Encrypt

Next, we need to register certbot.  Registration allows us to request and renew certificates.

$ sudo certbot register
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
  (Enter 'c' to cancel): someone@somewhere.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
$

Step 3 – Requesting a Certificate

Next, we can request a certificate using certbot.  In this example, please (1) replace www.domain.com with the actual domain for which you’d like to request the certificate.  Additionally, (2) replace /var/www/html/ with the actual directory to your “webroot.”  The webroot is where you store your HTML files, and the letsencrypt.org service will connect to your website and look for a specific file to ensure you’re the owner of the domain before issuing the certificate.  (There are other ways to validate the domain, but this is one of the easiest.)  You’ll need to repeat this command in many cases: run once for www.domain.com, and also run a second time for domain.com (without the “www” prefix).  There’s a way to request *.wildcard certificates, but that’s outside the scope of this tutorial.  To request a certificate, you can use:

$ sudo certbot certonly --force-renewal --webroot \
> --webroot-path /var/www/html/ -d www.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.domain.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.domain.com/privkey.pem
   Your cert will expire on 2018-12-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

$

Step 4 – Configuring Apache

Next, we must configure Apache to use the new TLS/SSL certificate.  Once upon a time, SSL websites were required to each have their own individual IP address; this is no longer the case.  More recently, Server Name Indication (SNI) support allows multiple TLS/SSL websites to be hosted using the same IP address and is provided in Apache.

The following is an example TLS/SSL configuration in Apache’s conf.d directory on CentOS 7.  It’s good practice to break-out configuration file sections into conf.d parts.  This is just a sample; you can customize your own configuration.

$ cat /etc/httpd/conf.d/v-ssl-le_www_domain_com.conf 

    ServerName www.domain.com:443
    UseCanonicalName off

    DocumentRoot "/var/www/virt/domain.com"

    ErrorLog logs/www.domain.com-ssl_error_log
    TransferLog logs/www.domain.com-ssl_access_log
    LogLevel warn

    SSLEngine on
    SSLProtocol TLSv1.2
    SSLHonorCipherOrder on
    SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH

    SSLCertificateFile /etc/letsencrypt/live/www.domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem

    
        SSLOptions +StdEnvVars
    

    <Directory "/var/www/html">
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    

    CustomLog logs/www.domain.com-ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
                                  
$

Make sure to reload or restart Apache after updating the new configuration, perhaps with a `/bin/systemctl restart httpd.service` command.  Then, you can test the new certificate using the free testing tool at:

  • http://www.ssllabs.com/ssltest/analyze.html?d=www.domain.com

(Replace “www.domain.com” in that link address with your actual domain name, to check your own website).

Step 5 – Automating Renewal (Optional)

Finally, the `/usr/bin/certbot renew` can be used to automatically renew certificates (certificates expire in 90 days).  This command can be added to the system crontab to automatically check certificates for renewal each week, in example.

$ sudo /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/www.domain.com/fullchain.pem expires on 2018-12-24 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$

Questions or Feedback?

If this article was helpful, please link to it from your own blog, Twitter account, or otherwise.  Simply copy and paste the URL of this article from your browser to link to it.  If you had trouble completing the tutorial, please leave feedback so we can improve the article.  Of course, you can also leave feedback and share if this article was helpful!  Thanks so much.

Leave a Reply

Your email address will not be published. Required fields are marked *