How To Set Up Let’s Encrypt on CentOS 7

Securing Your Site

In this tutorial, we will be outlining a handy way of getting HTTPS enabled on all of your domains by using SSL’s to provide the first step in that process.

Domains secured with SSL’s are needed more often every day. If you don’t yet have an SSL on your site to encrypt your data passing over the net, you should reconsider this decision. Rather than showing an extra layer of security, modern browsers instead now display a warning when a website does not have an SSL.  This essentially requires sites to maintain a positive image by adding an SSL.

Let’s Encrypt has become a very popular solution for every sized business concerned with securing its connections to its website. To aid in implementing this, we recommend using Certbot. Certbot is a open source, free software tool for automatically installing and renewing SSLs certificates. Certbot implements these SSLs by working closely with Let’s Encrypt, the well known SSL provider, by creating the SSL’s for the server. Best news of all? Let’s Encrypt is completely free!

Pre-Flight Checklist

We will be using CentOS 7 with Apache 2.4, with no control panel installed. We already have VirtualHosts setup for all of our domains (domain.com and domain2.com). We are logged into the server as the root user, and DNS for the domains we are configuring is already pointed towards the server we are working on. Additionally, DNS must be configured to host the sites on the server we are working on since Let’s Encrypt uses DNS to ensure that the server you are working on, and the host of the site, match.

Step 1: Install Packages

The ever-popular EPEL (Extra Packages for Enterprise Linux) repository contains all of the packages we need to install Certbot, so we will set that up first:

yum -y install epel-release

 

Next, we will install the two packages we need to get Let’s Encrypt running: certbot, and the apache connector:

yum -y install certbot python-certbot-apache

Step 2: Obtain Certificates from Let’s Encrypt

We can start the certbot program to initially install our SSLs.

certbot --apache

 

Certbot is an interactive program, which will first ask you to accept their Terms of Service, as well as add a bit of other configuration info before we get to the certificates. You will arrive at this screen, soon after certbot parses your running configuration for hosted domains:

What domain names would you like to activate HTTPS for?
----------------------------------------------------------------
1: domain.com
2: www.domain.com
3: domain2.com
4: www.domain2.com
----------------------------------------------------------------
Select the appropriate numbers separated by commas and/or
spaces, or leave input blank to select all options shown
(Enter 'c' to cancel):


 

Since we want to add certificates to all our domains, we will leave the input blank to operate on all domains. The next question has to do with HTTP access, and whether we want to force all traffic to HTTPS. This is normally a good idea, so we select ‘2’:

Please choose whether or not to redirect HTTP traffic to HTTPS,
removing HTTP access.
----------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
----------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2


 

Certbot will finish the order process, and automatically configure Apache to use them. Finally, it will let you know where your certificates are stored:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2019-07-16. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


Step 3: Test Installation

You should now be able to navigate to your domain normally, and see a secure https:// prefix in your URL bar, along with (depending on your browser) a green lock icon:

 

 

 

 

You can also confirm functionality using our SSL Checker tool.

Step 4: Set Up Auto-Renewal

Now that certbot is installed and working, we need to have it check for expiring certificates automatically. As root, we first open the crontab for our server:

crontab -e

 

In this instance, I’ve added a cron to our example server that looks like this:

45 3 * * 6 /usr/local/letsencrypt/certbot-auto renew && systemctl reload httpd

 

This cron will, at 3:45 AM every Saturday, run the certbot renew function to renew any already-installed certificates that are due to expire, and then reload the Apache configuration. Save the crontab after you add this line, and it will be in effect immediately.

 

Finished!

Congratulations! Your sites are now secured with free SSL certificates!

Final Thoughts To Keep In Mind

• This procedure should be used only on servers that do not have a control panel, such as our Core Managed or Unmanaged CentOS 7 VPS’s and Dedicated Servers or a managed private cloud solutions
• Certificates are usually only valid for 90 days at a time, but since we set up automatic renewal, the certificates will be valid until the domains are removed from the server.
• Also, make sure you use an email that you regularly check because notifications for expiring SSL’s as well as failed renewals will be sent to the email address set up during the certbot install.
• Lastly, new domains added to the server after certbot was run do not automatically get a new SSL! You will need to re-run thecertbot --apachecommand again to set them up.

If you decide to go with one of our Fully Managed VPS servers, you can control Let’s Encrypt via WHM. You will get a useful control panel to easily adjust server settings and, you’ll also get 24/7/365 support from our knowledgeable and talented Support staff!

Still have thoughts or questions? Don’t hesitate to reach out to us by creating a ticket at support@liquidweb.com, opening a chat with us or giving us a call at 1-800-580-4985. We are standing by to assist!