How to Install Let’s Encrypt with Apache on CentOS 7

In this tutorial, we will show you how to install the Let’s Encrypt client on your CentOS 7 VPS and issue an SSL certificate for your domain.

Improving your website security through SSL encryption can increase your visitors’ trust in your website. In the past, setting up SSL encryption on a website was a complicated task. However, Let’s Encrypt is a free and open source certificate authority (CA) that allows obtaining and installing certificates through simple, automated commands. Thanks to them, setting up encryption and increasing the security of your site is made a lot easier. Let’s Encrypt provides a valid SSL certificate for your domain without any cost and can be used for production/commercial use as well.

Let’s begin with the installation – it’s a simple install, and it won’t take long at all.

Prerequisites

  • For the purposes of this tutorial, we will use a CentOS 7 VPS.
  • Full SSH root access or a user with sudo privileges is also required.
  • A valid domain name pointed to your server’s IP address. In this tutorial we will use domain.com.

Step 1: Connect via SSH and Update the OS

Connect to your server via SSH as the root user using the following command:

ssh root@IP_ADDRESS -p PORT_NUMBER

Remember to replace “IP_ADDRESS” and “PORT_NUMBER” with your server’s respective IP address and SSH port number.

Before starting with the installation, you will need to update your OS packages to their latest versions. It’s easy to do, and it won’t take more than a few minutes.

You can do this by running the following command:

yum update

Once the updates are completed, we can move on to the next step.

Step 2: Install LAMP Stack

We need to install the LAMP stack on the server. It consists of Linux (which we already have), Apache, MySQL, and PHP. We can install it by running the following command:

yum install httpd mariadb-server php php-cli php-common

Once all the packages are installed, start the Apache and MariaDB services:

systemctl start httpd
systemctl start mariadb

Enable them to start on server boot with the following command:

systemctl enable httpd
systemctl enable mariadb

Step 3: Configure Apache

We need to create a new Apache configuration file. We can create it with the following command:

nano /etc/httpd/conf.d/domain.com.conf

Add the following lines:

<VirtualHost *:80>
    ServerAdmin admin@domain.com
    DocumentRoot "/var/www/html"
    DirectoryIndex index.html
    ServerName domain.com
    ErrorLog "/var/log/httpd/domain.com.error_log"
    CustomLog "/var/log/httpd/domain.com.access_log" common
</VirtualHost>

Save and close the file.

Then, create an index.html file for testing purposes with the following command:

nano /var/www/html/index.html

Add the following lines:

<html>
Test - Welcome to The Apache Web Server.
</html>

Save the file and change owner of the ‘/var/www/html/index.html’ file to the Apache user so Apache can read the file:

chown -R apache:apache /var/www/html/index.html

Remember to change domain.com with your actual domain name.
Now that we have Apache installed we can continue and install certbot.

Step 4: Install Certbot

We need to install Certbot and enable the mod_ssl Apache module on the server. Certbot is a simple and easy to use tool that simplifies server management by automating obtaining certificates and configuring web services to use them.

By default, Certbot package is not available in the CentOS 7 default OS repository. We need to enable the EPEL repository, then install Certbot.

To add the EPEL repository run the following command:

yum install epel-release

Once enabled, install all the required packages with the following command:

yum install certbot python2-certbot-apache mod_ssl

Once installed, we can proceed to the next step.

Step 5: Obtain and Install SSL for Your Domain

Now that Certbot is installed, you can use it to obtain and install an SSL certificate for your domain.

Simply run the following command to obtain and install an SSL certificate for your domain:

certbot --apache -d domain.com

We can also install a single certificate for multiple domains and subdomains hosted on the server with the ‘-d’ flag, e.g.:

certbot --apache -d domain.com -d www.domain.com -d domain2.com -d test.domain2.com

We will be asked to provide an email address and agree to the terms of service.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@domain.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/domain.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/domain.com-le-ssl.conf

Type Y and hit [Enter], and you should see the following output:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Here, you need to choose any one option to continue. If you choose option 1, it will only download an SSL certificate and you need to configure Apache manually to use SSL certificate. If you choose option 2, it will automatically download and configure Apache to use SSL certificate. In this case, choose option 2 and hit [Enter]. When the installation is successfully finished, you will see a message similar to this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://domain.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com-0001/privkey.pem
Your cert will expire on 2019-10-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

The generated certificate files are available in the /etc/letsencrypt/live/domain.com directory. You can check the newly created SSL certificate with the following command:

ls /etc/letsencrypt/live/domain.com/

You should see the following output:

cert.pem chain.pem fullchain.pem privkey.pem

Step 6: Check Your SSL Certificate

Open your web browser and type the URL https://domain.com .  To check the SSL certificate in Chrome, click on the padlock icon in the address bar for https://domain.com and from the pop-up box, click on ‘Valid’ under the ‘Certificate’ prompt.

Step 7: Set up Automatic Renewal

By default, Let’s Encrypt certificates are valid for 90 days, so it is recommended to renew the certificate before it expires. Ideally it would be best to automate the renewal process to periodically check and renew the certificate.

We can test the renewal process manually with the following command.

certbot renew --dry-run

The above command will automatically check the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

We can also add a cronjob to automatically run the above command twice a day.

To do so, edit the crontab with the following command:

crontab -e

Add the following line:

* */12 * * * root /usr/bin/certbot renew >/dev/null 2>&1

Save and close the file.

Congratulations! We have successfully installed and configured Let’s Encrypt with Apache on a CentOS 7 VPS.


Of course, you don’t have to Install Let’s Encrypt on CentOS 7 if you use one of our managed VPS hosting plans, in which case you can simply ask our expert Linux admins to install Let’s Encrypt on your CentOS 7 VPS for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on how to Install Let’s Encrypt on CentOS 7, or if you found it helpful, please share it with your friends on social networks using the share buttons, or simply leave a reply below. Thanks.

2 thoughts on “How to Install Let’s Encrypt with Apache on CentOS 7”

Leave a Comment