Differences

This shows you the differences between two versions of the page.

Link to this comparison view

how-to-use-lets-encrypt-with-apache-on-centos7 [2017-11-28 11:55:01] (current)
shaun.reitan created
Line 1: Line 1:
 +====== How to use Let's Encrypt with Apache on CentOS 7 ======
 +
 +Let's Encrypt is a free SSL provider that allows you to generate basic SSL certificates that will validate correctly with most browsers. This guide will walk you through installing all of the software required to get Apache serving content over HTTPS in it's default configuration. If you have multiple vhosts already setup on your server, Certbot should detect them and the process is mostly the same.
 +
 +===== Installing the Required Software =====
 +
 +We will first start by installing Apache with SSL support.
 +
 +<code console>
 +yum install httpd mod_ssl
 +</​code>​
 +
 +Next, since Certbot is not provided by the CentOS repository we will need to enable the EPEL repo. Once enabled we can install Certbot.
 +
 +<code console>
 +yum install epel-release
 +yum install python-certbot-apache
 +</​code>​
 +
 +===== Enabling and Starting Apache =====
 +
 +Apache needs to be running so that Let's Encrypt can verify that the domain your generating the certificate for is really under your control. You must also have your domain correctly pointing to your server.
 +
 +<code console>
 +systemctl enable httpd
 +systemctl start httpd
 +</​code>​
 +
 +===== Firewalld =====
 +
 +If you have Firewalld running you will need to run the following commands to allow your server to receive and send HTTP and HTTPS requests.
 +
 +<code console>
 +firewall-cmd --add-service=http
 +firewall-cmd --add-service=https
 +firewall-cmd --runtime-to-permanent
 +</​code>​
 +
 +===== Requesting a Certificate =====
 +
 +We can now request a new certificate from Let's Encrypt. The example below is attempting to generate a certificate for domain.com and www.domain.com. You will need to change those to your domain.
 +
 +<code console>
 +certbot --apache -d domain.com -d www.domain.com
 +</​code>​
 +
 +  - Certbot will ask you for a email address to send important notices, this email address is not public so you can enter an address that you use normally.
 +  - You will need to Agree to the Let's Encrypt terms of service.
 +  - You will be asked if you want to share your email address with the Electronic Frontier Foundation. This one is up to you.
 +  - Next you will be asked if you want to redirect all HTTP traffic to HTTPS. Unless you have a reason not too, you should.
 +
 +You should now have a valid certificate for your site!
 +
 +===== Automatic Certificate Renewals =====
 +
 +Purchased Certificates normally last at least one year. Let's Encrypt certificates only last 90 Days. Rather than having to remember to renew your certificate every 3 months we will setup a cronjob that will attempt to renew it nightly. Certbot is smart in that it will not renew the certificate unless it's about to expire.
 +
 +<code console>
 +crontab -e
 +</​code>​
 +
 +Add the following line.
 +
 +<code console>
 +0 0 * * * /​usr/​bin/​certbot renew >> /​var/​log/​certbot-renew.log
 +</​code>​
 +
 +This will run Certbot nightly and log the output to /​var/​log/​certbot-renew.log
 +
 +
 +