Install Let’s Encrypt on CentOS 7

Today I'm going to show you how to install Let's Encrypt on CentOS 7. Before we begin I am assuming you have CentOS fully patched, have the EPEL Repository installed, have installed and configured Apache and that Apache is running.

You also will need to ensure that you have allowed HTTP and HTTPS traffic through your CentOS firewall. Let's begin...

Connect to your server using Putty or other SSH client. Firstly, we're going to install mod_ssl that enables SSL communications with Apache. To do that type the following at the command line:

yum install mod_ssl

Now we need to install certbot that enables registration and renewals of the SSL certificates. Type the following at the command line:

yum install certbot

Now we need the Apache plugin for certbot. Type the following at the command line:

yum install python-certbot-apache

Now we're ready to start setting up certbot and adding domains for SSL certificates. To add your first certificate type the following at the command prompt (please replace <FQDN> with your domain name, for example www.mydomain.com):

certbot --apache -d <FQDN>

Once you've pressed enter on the above command, ensure that you follow the prompts and answer all the questions outlined by certbot.

Now we'll check that you have the most secure settings on your ssl.conf file which can be located in the following directory: /etc/httpd/conf.d

We need to find the following options SSLProtocol and then SSLCipherSuite. More than likely each of the options will be something similar to the following:

SSLProtocol all -SSLv2
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

Use your favourite text editor like vi or similar to edit the file /etc/httpd/conf.d/ssl.conf file. We need to change the SSLProtocol and SSLCipherSuite options to the following settings:

SSLProtocol TLSv1.1 TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

Now that we've completed all the settings we'll need to restart the Apache web server so the changes take effect. To do so type the following commands at the prompt:

systemctl restart httpd

You are now essentially ready to test your newly issued SSL certificate to see whether you've set it up correctly. Open a browser and type your URL into the address field of your favourite browser using HTTPS as the prefix like so:

https://mydomain.com

In the example above, replace mydomain.com with your domain name. If you get a green lock icon next to your URL in the address bar it means you're all set.

One of the downsides to using a Let's Encrypt SSL certificate is that it expires after 90 days and you need to renew it. Luckily there's a way to automatically renew it for you so you don't have to manually log onto your web server and manually run the renew commands.

We're going to do this via a cron job. We can create a cron job by using the following syntax:

crontab -e

Now you will be in the edit screen of the crontab. Press i to commence your edit. If you're not sure how to input the values for a cron job they are broken into 5 segments of time. They are: minute, hour, day of the month, month, day of the week. You can read more about cron settings here...

So if we want to run this task at say 4AM everyday, we would input the following:

0 4 * * * /usr/bin/certbot renew

The asterisks denote that we want it to run on every day of the month, every month and every day of the week. Save your cron job. Now we'll restart the cron daemon like so:

systemctl restart crond

You're all done! Hope this helps getting your websites up and running with SSL and Let's Encrypt!

 

 

 

No Comments Yet.

Leave a comment