How to install Let’s Encrypt SSL on LAMP CentOS 7

Try it in our public cloud & Get $5 Credit
CLAIM NOW

Let’s Encrypt is a free Certificate Authority that provides a free SSL/TLS certificates for your domain; see how to install Let’s Encrypt SSL on a LAMP on CentOS 7. Let’s Encrypt provides a Certbot tool to obtain and install TLS/SSL certificates automatically on both Apache and Nginx web server. The certificate is valid for 90 days. So you will need to renew it before it expired.  Let’s Encrypt is a nonprofit certificate authority managed by the Internet Security Research Group. Its main aims is to create a more secure and privacy-respecting Web by adopting HTTPS.

In this tutorial, we will learn how to install an SSL on a LAMP server with Let’s Encrypt on CentOS 7.

Requirements

  • One server running LAMP on CentOS 7.
  • Root access to set up on your server.
  • A valid domain name pointed to your LAMP.


Getting Started

Before starting, it is recommended to update your system’s packages to the latest version. You can update them by running the following command:

yum update -y


Next, you will need to disable SELinux on your system. You can do this by editing /etc/selinux/config file:

nano /etc/selinux/config


Make the following changes, the line starting by SELINUX= :

SELINUX=disabled


Save and close the file, when you are finished. Then, restart your system to apply the configuration changes.


Install Certbot Client

You will need to install Certbot Let’s encrypt client to your server. Certbot is a simple and easy to use tool to install and manage SSL certificate. By default, Certbot package is not available in the CentOS 7 default repository. So you will need to install the EPEL repository to your system. You can install it with the following command:

yum install epel-release


Next, install Certbot client and other packages with the following command:

yum install certbot python2-certbot-apache mod_ssl


Once the installation has been completed successfully, you can proceed to fetch and install the SSL certificate for your domain.


Install the Let’s Encrypt SSL Certificate for Your Domain

Now, fetch and install a Let’s Encrypt SSL for your domain named blog.linuxbuz.com using the following command:

certbot --apache -d blog.yourdomain.com


You will need to provide an email address and agree to the terms of service:

 Saving debug log to  /var/log/letsencrypt/letsencrypt.log
 
 Plugins selected: Authenticator apache, Installer apache
 
 Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): your@yourdomain.com
 
 Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 (A)gree/(C)ancel: A

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 (Y)es/(N)o: Y

 Starting new HTTPS connection (1): supporters.eff.org
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for blog.yourdomain.com
 Waiting for verification...
 Cleaning up challenges
 Created an SSL vhost at /etc/httpd/conf.d/blog.yourdomain.com.conf
 Deploying Certificate to VirtualHost 
 /etc/httpd/conf.d/blog.yourdomain.com.conf


Next, you will need to choose whether or not to redirect HTTP traffic to HTTPS:

 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 1: No redirect - Make no further changes to the webserver configuration.
 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2


Select option 2 and hit ENTER.

Once the installation is completed successfully, you should see the following output:

 Redirecting vhost in 
/etc/httpd/conf.d/blog.linuxbuz.conf to ssl vhost in /etc/httpd/conf.d/blog.linuxbuz-le-ssl.conf

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Congratulations! You have successfully enabled https://blog.linuxbuz.com
 You should test your configuration at:
 https://www.ssllabs.com/ssltest/analyze.html?d=blog.linuxbuz.com
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/blog.yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/blog.yourdomain.com/privkey.pem

 - Your cert will expire on 2019-10-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


Now, open the following link in your preferred web browser to check your SSL certificates: https://www.ssllabs.com/ssltest/analyze.html


Configure Automatic Certificate Renewal

By default, Let’s Encrypt certificates are expired after 90 days. So you will need to renew them before expiry date to avoid any problems.

You can renew the certificates with the following command:

certbot renew


You can also automate the renewal process by setting up a cron job.

To do so, edit the cron job with the following command:

crontab -e


Add the following line:

52 10 * * *   root /usr/bin/certbot renew >/dev/null 2>&1


Save and close the file. The above command will run on every day at 10:52.


Conclusion

In this tutorial, we have learned how to secure Apache web server with Let’s Encrypt free SSL on CentOS 7. I hope you can now easily secure your web server with Let’s Encrypt.