1

----------

Secure Apache with Let’s Encrypt SSL Certificate on CentOS 8

Securing your web server is always one of the key factors that you should consider before going live with your website. A security certificate is critical for securing traffic sent from web browsers to web servers and in so doing, it’ll inspire users to exchange data with your website in full knowledge that the traffic sent is secured.

In most cases, security certificates are paid for and renewed annually. Let’s Encrypt certificate is a free, open and automated certificate authority that you can use to encrypt your site. The certificate expires after every 90 days and auto-renews at absolutely no cost.

In this article, we will show you how you can install Let’s Encrypt Certificate with Certbot for Apache web server and later, configure the certificate to renew automatically on CentOS 8.

Prerequisites

Before you get started, ensure that you have the following in place:

1. An instance of CentOS 8 server with Apache HTTP web server installed and running. You can confirm that your apache web server is up and running.

$ sudo dnf install httpd $ sudo systemctl status httpd

Check Apache Web Server Status

2. A Fully Qualified Domain Name (FQDN) pointing to your web server’s public IP address on your DNS web hosting provider. For this guide, we will use linuxtechwhiz.info pointing to the server’s IP 34.67.63.136.

Domain A Record Pointing to Server IP Address

Step 1. Install Certbot in CentOS 8

Certbot is a client that automates the installation of the security certificate. It fetches the certificate from Let’s encrypt authority and deploys it on your web server without much of a hassle.

Certbot is absolutely free and will enable you to install the certificate in an interactive way by generating instructions based on your web server’s configuration.

Before downloading certbot, first, install packages that are necessary for the configuration of an encrypted connection.

$ sudo dnf install mod_ssl openssl

Install Mod_SSL on CentOS 8

Download certbot using the curl command.

$ sudo curl -O https://dl.eff.org/certbot-auto

Download Certbot on CentOS 8

Next, move the certbot file to the /usr/local/bin directory and assign the execute file permissions.

$ sudo mv certbot-auto /usr/local/bin $ sudo chmod 755 /usr/local/bin/certbot-auto

Step 2: Create an Apache Virtual Host

The next step will be to create a virtual host file for our domain – linuxtechwhiz.info. Begin by first creating the document root where you will place your HTML files.

$ sudo mkdir /var/www/linuxtechwhiz.info.conf

Create a test index.html file as shown.

$ sudo echo “<h1>Welcome to Apache HTTP server</h1>” > /var/www/linuxtechwhiz.info/index.html

Next, create a virtual host file as shown.

$ sudo vim /etc/httpd/conf.d/linuxtechwhiz.info

Append the configuration below.

Save and exit.

Assign the permissions to the Document root as shown.

$ sudo chown -R apache:apache /var/www/linuxtechwhiz.info

For the changes to come into effect, restart the Apache service.

$ sudo systemctl restart httpd

Step 3: Install Let’s Encrypt SSL Certificate on CentOS 8

Now run certbot as shown to commence the installation of Let’s Encrypt certificate.

$ sudo /usr/local/bin/certbot-auto --apache

A number of Python packages will be installed shown below.

Install Let’s Encrypt SSL Certificate on CentOS 8

After the installation of the packages is successful, certbot will launch an interactive command-line session that will guide you with the installation of Let’s Encrypt certificate.

Let’s Encrypt SSL Certification Installation on Domain

Let’s Encrypt SSL Certification Info

If all went well, you should get a congratulatory message at the end informing you that your site has been secured using Let’s Encrypt certificate. Your certificate’s validity will also be displayed – which is usually after 90 days after deployment.

Now head back to your virtual host file and append the following lines of configuration.

SSLEngine On SSLCertificateFile /etc/letsencrypt/live/linuxtechwhiz.info/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/linuxtechwhiz.info/privkey.pem

Save and exit.

The final Apache virtual host configuration will look something like this:

<VirtualHost *:443> ServerName linuxtechwhiz.info ServerAlias www.linuxtechwhiz.info DocumentRoot /var/www/linuxtechwhiz.info/ <Directory /var/www/linuxtechwhiz.info/> Options -Indexes +FollowSymLinks AllowOverride All </Directory> ErrorLog /var/log/httpd/www.linuxtechwhiz.info-error.log CustomLog /var/log/httpd/www.linuxtechwhiz.info-access.log combined SSLEngine On SSLCertificateFile /etc/letsencrypt/live/linuxtechwhiz.info/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/linuxtechwhiz.info/privkey.pem </VirtualHost>

Once again, restart Apache.

$ sudo systemctl restart httpd

Step 4: Verifying the Let’s Encrypt SSL Certificate

To verify that everything is working, launch your browser and visit your server’s IP address. You should now see a padlock symbol at the beginning of the URL.

Verify Let’s Encrypt SSL Certificate

To get more details, click on the padlock symbol & click on the ‘Certificate’ option on the pull-down menu that appears.

Check Let’s Encrypt SSL Certificate

The certificate details will be displayed on the next pop-up window.

Let’s Encrypt SSL Certificate Info

Also, you can test your server at https://www.ssllabs.com/ssltest/ and your site should get an ‘A’ grade as shown.

Check Let’s Encrypt SSL Certificate Rating

Step 5: Auto-Renew Let’s Encrypt SSL Certificate

Lets Encrypt is only valid for 90 days only. Usually, the renewal process is carried out by the certbot package which adds a renew script to /etc/cron.d directory. The script runs twice daily and will automatically renew any certificate within 30 days of expiry.

To test the auto-renewal process, conduct a dry run test with certbot.

$ sudo /usr/local/bin/certbot-auto renew --dry-run

If no errors were encountered, then it implies you are good to go.

This brings us to the end of this guide. In this guide, we demonstrated how you can use certbot to install and configure the Let’s Encrypt certificate on Apache webserver running on a CentOS 8 system.

-------