How to use Let's Encrypt with Apache on CentOS 7

Let's Encrypt is a free SSL provider that allows you to generate basic SSL certificates that will validate correctly with most browsers. This guide will walk you through installing all of the software required to get Apache serving content over HTTPS in it's default configuration. If you have multiple vhosts already setup on your server, Certbot should detect them and the process is mostly the same.

Installing the Required Software

We will first start by installing Apache with SSL support.

yum install httpd mod_ssl

Next, since Certbot is not provided by the CentOS repository we will need to enable the EPEL repo. Once enabled we can install Certbot.

yum install epel-release
yum install python-certbot-apache

Enabling and Starting Apache

Apache needs to be running so that Let's Encrypt can verify that the domain your generating the certificate for is really under your control. You must also have your domain correctly pointing to your server.

systemctl enable httpd
systemctl start httpd

Firewalld

If you have Firewalld running you will need to run the following commands to allow your server to receive and send HTTP and HTTPS requests.

firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --runtime-to-permanent

Requesting a Certificate

We can now request a new certificate from Let's Encrypt. The example below is attempting to generate a certificate for domain.com and www.domain.com. You will need to change those to your domain.

certbot --apache -d domain.com -d www.domain.com

  1. Certbot will ask you for a email address to send important notices, this email address is not public so you can enter an address that you use normally.
  2. You will need to Agree to the Let's Encrypt terms of service.
  3. You will be asked if you want to share your email address with the Electronic Frontier Foundation. This one is up to you.
  4. Next you will be asked if you want to redirect all HTTP traffic to HTTPS. Unless you have a reason not too, you should.

You should now have a valid certificate for your site!

Automatic Certificate Renewals

Purchased Certificates normally last at least one year. Let's Encrypt certificates only last 90 Days. Rather than having to remember to renew your certificate every 3 months we will setup a cronjob that will attempt to renew it nightly. Certbot is smart in that it will not renew the certificate unless it's about to expire.

crontab -e

Add the following line.

0 0 * * * /usr/bin/certbot renew >> /var/log/certbot-renew.log

This will run Certbot nightly and log the output to /var/log/certbot-renew.log