Category: apache

Posted in apache, linux, ssl

Install and Apply Let’s Encrypt SSL Certificates to Apache in CentOS 7

Posted on by channvichea

> Download and Install Let’s Encrypt

  • Login as root
  • Update your server’s software packages:
yum update
  • Install the git package:
yum install git
  • Download a clone of Let’s Encrypt from the official GitHub repository/opt is a common installation directory for third-party packages, so let’s install the clone to /opt/letsencrypt:
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
  • Navigate to the new /opt/letsencrypt directory:
cd /opt/letsencrypt

> Create an SSL Certificate

  • Stop Apache server
systemctl stop httpd.service
  • Run Let’s Encrypt with the --standalone parameter. For each additional domain name requiring a certificate, add -d example.com to the end of the command.
./letsencrypt-auto certonly --standalone -d example.com -d www.example.com

Let’s Encrypt does not deploy wildcard certificates. Each subdomain requires its own certificate.

  • For the first time, enter your email and agree to the Terms of Service
  • If all goes well, a message similar to the one below will appear. Its appearance means Let’s Encrypt has approved and issued your certificates.
IMPORTANT NOTES:
- If you lose your account credentials, you can recover them through
 e-mails sent to somebody@example.com.
- Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/example.com/fullchain.pem. Your
 cert will expire on 2016-03-31. To obtain a new version of the
 certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Let's
 Encrypt, so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
  • Each key (.pem) file in /etc/letsencrypt/live/example.com/serves a different purpose:
    • cert.pem: server certificate only.
    • chain.pem: root and intermediate certificates only.
    • fullchain.pem: combination of server, root and intermediate certificates (replaces cert.pem and chain.pem).
    • privkey.pem: private key (do not share this with anyone!).

> Apply SSL Certificate in Apache

  • Add a VirtualHost in /etc/httpd/conf.d/ssl.conf or in other .conf file in /etc/httpd/conf.d/
<VirtualHost *:443>
 ServerName example.com
 ServerAlias www.example.com
 DocumentRoot /var/www/html/example.com/public_html
 SSLEngine on
 SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
 SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem
</VirtualHost>
  • Restart Apache server
systemctl restart httpd.service

 

References: