How to install Let’s Encrypt SSL/TLS Certificate with Apache on CentOS 7

Let's Encrypt

Introduction

Let’s Encrypt is a non-profit Certificate Authority (CA) providing free SSL/TLS Certificates for websites. It is a great initiative taken by the Internet Security Research Group (ISRG) for public benefit. In this tutorial, you will learn to install a Let’s Encrypt SSL Certificate with Apache Web Server on CentOS 7.

1. Prerequisites

  • You need to have CentOS 7 installed as the Base OS.
  • A properly configured “A” record for both your www and non-www domain. For example, if your domain name is www.example.com. You need to configure an A record for www.example.com pointing to your server’s IP Address. In addition to that, you also need to configure an A record for example.com (without www) pointing to your server’s IP Address.
  • Apache Web Server / LAMP Stack installed and a virtual host configured on your CentOS 7 Server. If you have not yet installed Apache Web Server, click here. For the complete LAMP Stack Installation, click here.

2. Installation of Certbot Let’s Encrypt Client

Certbot is a free automated tool developed by the EFF (Electronic Frontier Foundation) which can be used to install free Let’s Encrypt certificates on your OS. The certbot package is available in the EPEL repository of CentOS 7.

Install the EPEL repository of CentOS 7.

yum -y install epel-release

Now you may proceed with installation of Certbot Let’s Encrypt client. We will also be installing some additional dependencies like python2-certbot-apache (Required for automatic configuration of apache using certbot) and mod_ssl (an Apache Module which is required for SSL v3 encryption)

yum -y install certbot python2-certbot-apache mod_ssl

Installation of Certbot and dependencies is complete.

3. Using Certbot to automatically install your SSL Certificates on Apache

We will obtain certificates for both www and non-www domain so that visitors get a secure SSL connection, no matter how they visit your site.

To obtain the free Let’s Encrypt certificate use the following command. Replace “example.com” with your domain name.

certbot --apache -d www.example.com -d example.com

The command will ask you a series of interactive questions as shown in the image below. I am using a sample domain letsencrypt.tuxpedia.net for this tutorial.

Certbot will automatically fetch the Let’s Encrypt SSL Certificates for both your “www” and “non-www” domain and also perform automatic configuration of your virtual host.

Now access your domain via your web browser to verify that your domain has been secured.

4. Common Issues / Troubleshooting

If your certbot command fails or you encounter an error, it should be due to one of the following issues:

  1. Your Virtual Host is not configured properly. SOLUTION: You may configure it using this tutorial.
  2. Your Apache HTTP Web Server is not running. SOLUTION: You need to start your httpd web service.
  3. The domain “A” records are not pointing to your server. Due to this certbot is not able to verify the ownership of your domain and Let’s Encrypt will not issue you a certificate unless you prove your domain ownership. SOLUTION: You need to access your DNS and add an “A” record or contact your hosting provider to do this for you.

5. Using –dry-run for Certbot

It is very important to understand that Let’s Encrypt is a very busy service and receives thousands if not millions of requests for new SSL Certificates daily. If there is any problem in your configuration, Let’s Encrypt might temporarily ban you from requesting certificates through their service. To avoid this scenario you can use the “–dry-run” flag provided by Certbot. This flag checks if you are eligible for a certificate using an alternate Let’s Encrypt server and does not fetch the actual certificate.

certbot --dry-run -d www.example.com -d example.com

Once, the above command goes through without any errors, you may refer to Step 3 of this article.

6. Conclusion

In this tutorial, we learned how to install a Let’s Encrypt SSL Certificate with Apache on your CentOS 7 Server. Please keep in mind that a Let’s Encrypt SSL Certificate expires within 90 days and you need to renew the certificate at least 30 days in advance so that your visitors might not encounter any issues.

Thank you for going through this tutorial. Your comments and suggestions are most welcome.

Leave a Reply