SSL certificates are used to provide extra security for users accessing your application. It will encrypt the traffic between server and client. Let's Encrypt is a Certificate Authority (CA). It provides free TLS/SSL certificates for enabling encrypted HTTPS on web servers. It's a automated, free and open certificate authority.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Let's Encrypt queries.
In this context, we shall look into how to secure apache with Let's Encrypt on CentOS 7 by installing free Let's Encrypt SSL certificate.
How to Install Let's Encrypt on CentOS 7 ?
Let's Encrypt SSL certificates are valid for 90 days from date of issue. As a norm, Let's Encrypt SSL certificates are trusted by all major browsers today.
Before embarking on this Installation procedure, ensure that the following Prerequisites are met:
- A CentOS 7 running system with a non-root user with sudo privileges.
- Apache should installed and configured, as mentioned in this tutorial.
- Have an apache virtual host for your domain, as mentioned in this tutorial.
- Your domain name should pointing to your server IP address.
1. Install Certbot Client
Start by Installing Certbot client package to your server to obtain a Let's Encrypt SSL certificate. The Certbot is a tool used for obtaining SSL certificates from Let’s Encrypt and auto-enabling HTTPS on your server.
The certbot package is provided by EPEL. So We need to enable EPEL repository by typing :
$ sudo yum install epel-release
Now install certbot client by executing following command :
$ sudo yum install httpd mod_ssl python-certbot-apache
Check the certbot installation by type :
$ certbot --version
If installation is successful then it will show you version of certbot.
2. Setup Firewall
If you are not running a firewall, you can skip ahead.
To install SSL on your web server you should make sure that port 80 and 443 are open in your firewall. You can open ports inside firewalld using following commands:
$ sudo firewall-cmd --add-service=http
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent
If on your server iptables is running then you should execute below commands to enable traffic on port 80 and port 443:
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
3. Configure Let's Encrypt SSL on Apache
Now everything is ready so we will request for obtain a SSL certificate from Let's Encrypt. To request using certbot is a very straightforward process. Let's Encrypt will validate for ownership of the domain and if successful it will issue a SSL for a requested domain. There are multiple ways to obtain a Let's Encrypt certificate through plugins. Run below command to request SSL:
$ sudo certbot --apache -d example.com -d www.example.com
In above command, it will request SSL certificate for both example.com and www.example.com domains.
If you are executing certbot for first time, it will prompt you to enter an email address, which can be use for sending email alerts related to SSL renewal and expiration. It will also ask for agree to the terms of service.
After doing so, certbot will communicate with the Let's Encrypt server and then it will run a challenge to verify that you own the domain for which you’re requesting a certificate.
If validation got success, it will ask you how you'd like to configure your HTTPS settings:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice and continue to next step. We recommend you to choose Redirect option if you don’t want to change the configuration file manually.
At the end, It will show you successful message.
Finally, your domain is secure with Let’s Encrypt SSL certificate. You can check by visiting your site with HTTPS protocol.
Other Secure SSL Settings for Apache
Default SSL configuration of CentOS with Apache version is outdated so it is less secure and create security issues. So we need to change some settings to make it more secure.
To configure more secure SSL-related options, open the ssl.conf file:
$ sudo vi /etc/httpd/conf.d/ssl.conf
First, you should find SSLProtocol and SSLCipherSuit lines inside file and comment out them or you can delete those two lines:
# SSLProtocol all -SSLv2
. . .
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
Now append the following lines after VirtualHost block in /etc/httpd/conf.d/ssl.conf file.
. . .
. . .
# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLProtocol All -SSLv2 -SSLv3
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
# Requires Apache >= 2.4.11
Next, save and close file. We need to restart Apache service to take changes in effect.
Run below command:
$ sudo systemctl restart httpd
How to perform Auto renewal of Let's Encrypt SSL certificate ?
Let's Encrypt SSL certificates are valid for 90 days so you need to renew it before it expire. To automatically renew the certificates before they expire, we will create a cronjob which will runs twice in a day and will automatically renew any certificate 30 days before its expiration.
Let's edit the crontab to create a new job by below command:
$ sudo crontab -e
Add the following lines at end of file so it will run twice in a day:
0 */12 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
Save and close the file. To take in effect Apache will be automatically restarted if any certificates are renewed.
You can test renewal process, you can use the certbot command followed by the –dry-run switch:
$ sudo certbot renew --dry-run
If there is no error, it means that the renewal process is successful.
[Need urgent assistance in fixing Apache configuration errors? We can help you. ]