> Download and Install Let’s Encrypt
- Login as root
- Update your server’s software packages:
yum update
- Install the
git
package:
yum install git
- Download a clone of Let’s Encrypt from the official GitHub repository.
/opt
is a common installation directory for third-party packages, so let’s install the clone to/opt/letsencrypt
:
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
- Navigate to the new
/opt/letsencrypt
directory:
cd /opt/letsencrypt
> Create an SSL Certificate
- Stop Apache server
systemctl stop httpd.service
- Run Let’s Encrypt with the
--standalone
parameter. For each additional domain name requiring a certificate, add-d example.com
to the end of the command.
./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
Let’s Encrypt does not deploy wildcard certificates. Each subdomain requires its own certificate.
- For the first time, enter your email and agree to the Terms of Service
- If all goes well, a message similar to the one below will appear. Its appearance means Let’s Encrypt has approved and issued your certificates.
IMPORTANT NOTES: - If you lose your account credentials, you can recover them through e-mails sent to somebody@example.com. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-03-31. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt, so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
- Each key (
.pem
) file in/etc/letsencrypt/live/example.com/
serves a different purpose:- cert.pem: server certificate only.
- chain.pem: root and intermediate certificates only.
- fullchain.pem: combination of server, root and intermediate certificates (replaces
cert.pem
andchain.pem
). - privkey.pem: private key (do not share this with anyone!).
> Apply SSL Certificate in Apache
- Add a VirtualHost in
/etc/httpd/conf.d/ssl.conf
or in other .conf file in/etc/httpd/conf.d/
<VirtualHost *:443> ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/html/example.com/public_html SSLEngine on SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem </VirtualHost>
- Restart Apache server
systemctl restart httpd.service
References: