Secure Apache with let's encrypt free SSL certificate

Secure Apache with let's encrypt free SSL certificate

If you are looking SSL certification for your web server to ensure privacy in communication, Let’s encrypt is the best option you have and It’s a totally free, automated, and open Certificate Authority which facilitates you in acquiring free SSL/TLS certificates needed for secure web browsing and they provide Domain Validated (DV SSL) certificate for free.

This tutorial will guide you on how can install the Free SSL certificate on your web server and this guide based on CentOS 7 operating system and the same you can apply on RedHat also.

Basic Requirements

  1. A public registered domain name (Domain name “A” record should be pointed to the server IP)
  2. Apache webserver and SSL module installed on Centos 7
  3. SSH client to access the Server (Here I used Putty as SSH client)

Step 1: Install Apache and mod_ssl module

First, you need to connect your server locally or SSH and switch your user account to Root user.


{ to switch the user account to root}

If you don’t have Apache and mod_ssl on your server, run following command in terminal to install the Apache.

yum install –y httpd mod_ssl

Once the apache and mod_ssl installation is done, run following command to start the service and enable as boot up service.

systemctl start httpd

systemctl enable httpd

To check the server is get stared, run below command to verify the status of Apache and it will list up all associated processors.

systemctl status httpd

Step 2: Create a sample web site

Now our Apache web server up and running and its fresh installation and don’t have a configured web server. Hence, need create a sample website for our testing purpose and either you can create a sample website by following commands or you can upload your own website to /var/www/html document root directory.

echo “SSL Testing” > /var/www/html/index.html

Step 3: Configuring Firewall

CentOS 7 has a local Linux firewall and need to allow http and https traffic go through that firewall. Otherwise, it will block all incoming and outgoing traffic on your web server except SSH traffic.

You can check whether firewall is up or not by running following command.

systemctl status firewalld

If is it not enable by default, you run following two commands to start and enable the firewalld service

systemctl start firewalld

systemctl enable firewalld

Once you start the firewalld service, you need to allow https and https traffic on your server. You can execute following commands to allow the traffic.

firewall-cmd — zone=public –add-service=http –permanent

firewall-cmd — zone=public –add-service=https –permanent

After that to apply these two firewall rules, need to reload the firewalld service on your server,

firewall-cmd –reload

firewall-cmd –list-all

At this point, we are ready to check our web server and we just want to check it’s up and running. Open up your web browser and type your domain name and hit enter. It will give you output as you expected.

If you tried to access with https, it will ask to install the self-sign certificate on your web browser and you can add an exception and continue to your website. But here ignore it and move to the next step.

Step 4: Install epel-release and Certbot application

Let’s encrypt is required Certbot application to install the SSL certification and to install Certbot package, need add epel release repository on your server. Run below command in your terminal to install epel the repository.

yum install -y epel-release

Now we have added epel repository and you can go ahead and install Certbot package.

yum install -y epel-release

yum install -y certbot

Certbot application has few different plugins that allow you to automatically update your configuration for the web server that you are using. Hence, we using apache web server and need to install Apache Certbot plugin. You can search right package using following command,

yum search certbot

After that you can install exact package as you required.

yum install -y python2-certbot-apache

Step 5: Install Let’s encrypt SSL certification

Now let’s start to configure SSL with your domain name and here we are going use Certbotcommand to configure the domain with apache. Your run below command to start the SSL configuration

certbot –apache -d (your domain name)

Then hit enter and it will ask few questions and you have answer each question to complete this process.

Enter your email and hit enter key.

Read the term of the service and type “A” to agree with that and hit enter.

Type “N” and hit enter, if you are want share your email address, you can go with Yes option.

Here the Certbot utility trying figure out where the Apache configuration files are store and it’s asking where exactly we want to put it. We have only one option right now and type “1” and hit enter to continue.

Again it will ask same question and do the same as earlier.

Now it will ask to choose two options to select and here you go with “secure” option because it will redirect all http traffic to https.

When you are done the answering to these questions, you will get an output as below. And you will able to find out all configuration files related to let’s encrypt on /etc/letsencrypt/live directory.

Now you can verify SSL certificate with your web browser and open up the browser and go to your website.

There are couple of automated ways to handle SSL certificate renewal and you choose one of this option to renew your certificate. One way is to create a CronJob and to create CronJob you can run “crontab –e” in your terminal and enter below command and save it.

crontab -e

SSL Cert Renew

0 0 * * * /usr/bin/certbot renew &> /var/log/certbotrenew.log

To save the cronjob, hit “esc” and type “:wq!” and hit enter key. And you can verify that scheduled cronjob by running below command.

crontab -l

The second way to automatically schedule renewal using systemd timers and certbot package included certbot-renew systemd service. So you can enable this service by executing below commands.

systemctl enable certbot-renew.service

systemctl start certbot-renew.service

After that you need to enable systemd timer and run following command to enable it.

systemctl enable certbot-renew.timer

systemctl start certbot-renew.timer

And you can check the timers by running below command.

systemctl list-timers

Finally we have done the free SSL certificate installation. That’s it 😊