Posted in apache, linux, ssl

Install and Apply Let’s Encrypt SSL Certificates to Apache in CentOS 7

> Download and Install Let’s Encrypt

  • Login as root
  • Update your server’s software packages:
yum update
  • Install the git package:
yum install git
  • Download a clone of Let’s Encrypt from the official GitHub repository/opt is a common installation directory for third-party packages, so let’s install the clone to /opt/letsencrypt:
git clone /opt/letsencrypt
  • Navigate to the new /opt/letsencrypt directory:
cd /opt/letsencrypt

> Create an SSL Certificate

  • Stop Apache server
systemctl stop httpd.service
  • Run Let’s Encrypt with the --standalone parameter. For each additional domain name requiring a certificate, add -d to the end of the command.
./letsencrypt-auto certonly --standalone -d -d

Let’s Encrypt does not deploy wildcard certificates. Each subdomain requires its own certificate.

  • For the first time, enter your email and agree to the Terms of Service
  • If all goes well, a message similar to the one below will appear. Its appearance means Let’s Encrypt has approved and issued your certificates.
- If you lose your account credentials, you can recover them through
 e-mails sent to
- Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/ Your
 cert will expire on 2016-03-31. To obtain a new version of the
 certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Let's
 Encrypt, so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:
Donating to EFF:
  • Each key (.pem) file in /etc/letsencrypt/live/ a different purpose:
    • cert.pem: server certificate only.
    • chain.pem: root and intermediate certificates only.
    • fullchain.pem: combination of server, root and intermediate certificates (replaces cert.pem and chain.pem).
    • privkey.pem: private key (do not share this with anyone!).

> Apply SSL Certificate in Apache

  • Add a VirtualHost in /etc/httpd/conf.d/ssl.conf or in other .conf file in /etc/httpd/conf.d/
<VirtualHost *:443>
 DocumentRoot /var/www/html/
 SSLEngine on
 SSLCertificateFile /etc/letsencrypt/live/
 SSLCertificateKeyFile /etc/letsencrypt/live/
 SSLCertificateChainFile /etc/letsencrypt/live/
  • Restart Apache server
systemctl restart httpd.service



Posted in cPanel, linux, web

Fixing the cPanel SoftException writable by group

If you’ve been following these posts, we now have a lovely git push to deploy setup, and can ssh into our server without constantly needing to enter our password through the use of ssh keys.

However, if you’re running on cPanel, you will probably have bumped into this error:

SoftException in Application.cpp:256: File "/home/username/public_html/index.php" is writeable by group

This is clearly a permissions error, and so the obvious thought is to chmod it. However, we don’t want to ssh in and chmod every time we push! On the testing server, the permissions are fine, but they are different once the git push has done its post-update.

The reason for this is something to do with a thing called umask. Umask is a user mask which is created for processes that are performing tasks, and affects new files and folders.

The solution to this is to edit ~/.bash_profile, and insert the following command:

umask 022

From now on you shouldn’t have the problem. With newly created files.

To sort already existing files, Chmod -R 755 any folders affected, OR just log out and in, and git pull or git reset –hard HEAD^ in order to re-fetch the files. This time they should be created without any strange permission errors!