CentOS

Set Up SSL Letsencrypt with Apache on Linux

Why you must use SSL?

SSL or Secure Socket Layer is a networking protocol designed to provide secure communication over the computer network.

It’s a secure cryptographic protocol that allows you to send sensitive information such as credit card, login credentials, browsing data, etc through a secure network connection.

Why Letsencrypt?

The main mission of the Letsencrypt project is to create more secure and privacy-respecting websites by providing free SSL certificates.

Despite the Letsencrypt certificate only valid for 90 days, all certificates issued by Letsencrypt are trusted for all major browsers.

With this tutorial, learn how to set up and generate SSL Letsencrypt on Linux Server using the certbot for Apache webserver.

Prerequisites

For this tutorial, make sure you’ve got a domain name resolved to your server IP address. Also, you need the Apache web server installed on your system with a virtual host enabled on top of it.

You can use this guide on some different Linux Servers, including the Ubuntu, Debian, CentOS, RHEL, or Fedora.

Before going any further, log in to your server and type the sudo command to get the root privileges on your system.

sudo su

Step 1 – Install Certbot and Certbot Plugin for Apache

The Certbot is a command-line tool created by EFF (Electronic Frontier Foundation) that allows you to automatically generate and deploy SSL Letsencrypt certificates.

For this step, install the certbot and certbot python plugin for the Apache webserver to the Linux servers.

For Ubuntu/Debian system, install certbot and certbot python plugin for Apache using the following command.

apt install certbot python-certbot-apache

And for CentOS/Fedora/RHEL system, download the certbot binary file, move the certbot to ‘/usr/local/bin/’ directory, and make it an executable.

wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto

As a result, you’ve successfully installed certbot and certbot plugin for Apache to the Linux server.

Step 2 – Set Up Domain Name on Virtual Host

To generate new SSL Letsencrypt for Apache, make sure your domain name is resolved to your server IP address. Also, you must enable the Apache virtual host configuration for your domain name.

Go to the ‘/etc/apache2/sites-available’ directory and edit your Apache virtual host configuration.

cd /etc/apache2/sites-available/
vim yourdomain.conf

Change the ‘ServerName’ value with your domain name.

ServerName yourdomain.com

Save and close.

Next, test the Apache configuration and make sure there is no error, then restart the Apache service.

apachectl configtest
systemctl restart apache2

As a result, you’ve added your domain name to the Apache virtual host.

Step 3 – Set Up Firewall

To generate the SSL Letsencrypt, you must add the HTTP and HTTPS port to the firewall. For the Ubuntu system, use the ufw firewall, and for the CentOS system, use the firewalld.

For the Ubuntu system, add the HTTP and HTTS services to the ufw firewall using the following command.

for i in http https
do
ufw allow $i
done

And for CentOS/RHEL system, run the firewall-cmd command below.

firewall-cmd --add-service={http,https} --permanent
firewall-cmd --reload

As a result, you’ve added HTTP and HTTPS services to the firewall.

Step 4 – Generate SSL Letsencrypt with Certbot

In this step, you will generate new SSL Letsencrypt for the Apache webserver using the certbot and certbot Apache plugin.

Generate the SSL Letsencrypt for Apache using the following command.

certbot --apache -d domain.com -d www.domain.com

The ‘–apache‘ option indicated that you’re using the Apache plugin.
The ‘-d‘ option means as a domain name. Change the domain name with your own. Also, for multiple domain names, add the ‘-d’ option for each domain.

– Email Configuration

To generate SSL Letsencrypt, you need an email address. It’s used for renewal and security notification.

The SSL Letsencrypt is only valid for 90 days, so the email notification for renewal was very important.

Type your email address for renewal and security notification and press enter.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

– Letsencrypt Term Of Service Agreement

For Letsencrypt TOS (Term Of Service) agreement, type ‘A’ to agree.

Please read the Terms of Service atPlease read the Terms of Service at<br >https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must<br >agree in order to register with the ACME server at<br >https://acme-v02.api.letsencrypt.org/directory<br >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br >(A)gree/(C)ancel: A</br ></br ></br ></br ></br >
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

– Share Your Email Address with EFF

EFF or Electronic Frontier Foundation is a founding partner of the Letsencrypt project.

If you agree to share your email address with EFF, type ‘Y’. And if you don’t want to share your email with EFF, just type ‘N’.

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

– Enable Automatic Redirect HTTP to HTTPS

This feature was part of the certbot Apache plugin, it will automatically set up Apache redirection of HTTP requests to secure connection HTTPS.

To enable an automatic redirect from HTTP to HTTPS protocol, type number ‘2’ and press enter to continue.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

– SSL Letsencrypt Successfully Generated

Once SSL Letsencrypt successfully generated, you will get the message below.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://apache2.sysadminjournal.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=apache2.sysadminjournal.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/apache2.sysadminjournal.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/apache2.sysadminjournal.com/privkey.pem
Your cert will expire on 2020-05-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

As a result, your SSL certificates are saved at the ‘/etc/letsencrypt/live/yourdomain.com’ directory. The ‘fullchain.pem’ is your certificate and chain, and the ‘privkey.pem’ is your private key.

Step 5 – Testing

To test your SSL Letsencrypt configuration, open your web browser and type your domain address on the address bar.

https://apache2.sysadminjournal.com

As a result, your domain is automatically redirected to the HTTPS secure connection.

Set Up Letsencrypt with Apache webserver on Linux Server

Step 6 – Set Up Letsencrypt Auto-Renew

To set up auto-renew for Letsencrypt, run the certbot command below.

certbot renew --dry-run

The command is used for simulating the ‘certbot renew’ (for certificate renewal) command. Now make sure you’ve no error and you will get the message below.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/apache2.sysadminjournal.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/apache2.sysadminjournal.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.

As a result, you’ve successfully set up Letsencrypt auto-renew, check it using the following commands.

ls -lah /etc/cron.*/*
systemctl list-timers

You will get the certbot cron for automatically renew SSL certificates.

set up letsencrypt auto-renewal

As a result, you’ve successfully setup the Lesencrypt auto-renew for automatically renew SSL Letsencrypt certificates.

Write A Comment