Complete tutorial to install Let's Encrypt SSL on CentOS 8

Complete tutorial to install Let’s Encrypt SSL on CentOS 8

Securing a website using Certbot is one of the key factors you need to your website can survive. Using HTTPS via Security Certificate (SSL Certificate) to secure the traffic sent from web browsers to web servers is essential. As a result, users will be completely secure in communicating with your website in order to exchange data. And the traffic sent from the secure platform must be transferred.

In most cases, you should renew the security certificates monetary and annually. Let’s Encrypt Certificate is an automatic, open-source, and free certificate that you can use to encrypt your site. The certificate expires after 90 days and the renewal is free of charge.
Let’s Encrypt can be easily installed on all servers like Linux VPS and cPanel VPS machines.

Steps to install Let’s Encrypt

  1. Installing Pre-requirements
  2. Install and configure a Certbot in CentOS 8
  3. Creating a virtual host in Apache
  4. Installing Let’s Encrypt SSL Certificate on CentOS 8
  5. Testing Let’s Encrypt SSL Certificate after installation
  6. Automatic renew or Let’s Encrypt certificate

Install Let's Encrypt free SSL

In this article, we will teach you how to install the Let’s Encrypt SSL Certificate using the Certbot tool. And we will do this on the Apache webserver, as well as how to configure automatic SSL updates on CentOS 8.

1- Pre-requirements to install Let’s Encrypt SSL on CentOS 8

  • Make sure you have a registered domain name that has been bound to the IP address of your server.
  • You should Buy Linux VPS machine with CentOS 8 operating system and with Apache webserver (httpd service) that is installed and running on the system. You can make sure your Apache is installed and running using the following commands. If the httpd service is not running, you can start it with the “systemctl start httpd” command.
$ sudo yum install httpd 
$ sudo systemctl start httpd 
$ sudo systemctl status httpd

Start httpd service

Next, you need to open access to ports 80 and 443 on the firewall. And you can use the following commands to do this.

$ sudo firewall-cmd --permanent --add-port=80/tcp --zone=public 
success 
$ sudo firewall-cmd --permanent --add-port=443/tcp --zone=public 
success 
$ sudo firewall-cmd --reload 
success

2- Install and configure a Certbot in CentOS 8

Certbot is a client that automatically performs security certificate installation steps. As a result, the program receives the certificate from the official Let’s Encrypt website and installs it on your website without any hassle.

Certbot is completely free and allows you to install the certificate in a very simple way by creating configuration instructions according to your web server settings.

Note: Before downloading Certbot, please install the packages needed to create and configure an encrypted connection.

$ sudo yum install mod_ssl openssl

Download required packages to create encrypted connection

Use the curl command as below to download Certbot.

$ sudo curl -O https://dl.eff.org/certbot-auto

Use Curl to download Certbot to install Let's Encrypt

Then, transfer the Certbot file to the usr /local/bin/ folder and assign the executable permissions to the file using the chmod command.

$ sudo mv certbot-auto /usr/local/bin/certbot-auto 
$ sudo chown root /usr/local/bin/certbot-auto 
$ sudo chmod 0755 /usr/local/bin/certbot-auto

3- Create a virtual host in the Apache webserver.

The next step is to create a virtual host file for our domain operavps.com. For example, suppose your root webserver is in the following path (where you put your HTML files) which we create a directory with the following command.

$ sudo mkdir /var/www/operavps.com

We create the index.html file as shown below in the path above.

$ sudo echo "<h1>Welcome to Apache HTTP server</h1>" > /var/www/operavps.com/index.html

Then, we create a virtual host file as shown below.

$ sudo vim /etc/httpd/conf.d/operavps.com.conf

And we add the following settings to it.

<VirtualHost *:80>
ServerName operavps.com 
ServerAlias www.operavps.com 
DocumentRoot /var/www/operavps.com/ 
<Directory /var/www/operavps.com/> Options -Indexes +FollowSymLinks 
AllowOverride All 
</Directory> 
ErrorLog /var/log/httpd/www.operavps.com-error.log 
CustomLog /var/log/httpd/www.operavps.com-access.log combined 
</VirtualHost>
<VirtualHost *:443> 
ServerName operavps.com 
ServerAlias www.operavps.com 
DocumentRoot /var/www/operavps.com/ 
<Directory /var/www/operavps.com/> 
Options -Indexes +FollowSymLinks 
AllowOverride All 
</Directory> 
ErrorLog /var/log/httpd/www.operavps.com-error.log 
CustomLog /var/log/httpd/www.operavps.com-access.log combined 
</VirtualHost>

Save the changes and exit.

We assign the required permissions to the root folder of the webserver as follows.

$ sudo chown -R apache:apache /var/www/operavps.com

Reset the Apache service to make changes.

$ sudo systemctl restart httpd

4- Installing Let’s Encrypt SSL Certificate on CentOS 8

At this point, run Certbot as below to install Let’s Encrypt certification.

$ sudo /usr/local/bin/certbot-auto --apache

By running this command, a number of python packages will be installed.

Running Certbot to install the Let's Encrypt SSLAfter the successful installation of the packages, the Certbot that we run will ask a series of questions, as well as tips for answering. The questions that will guide you to complete the installation of the Let’s Encrypt certificate.

Questions when installing Let's Encrypt

Questions when installing Let's Encrypt

If all goes well, you will receive a message stating that the security of your website has been established using the Let’s Encrypt certificate. Certificate validity is for 90 days which you will see it. (after receipt of the certificate).

Now go back to your VirtualHost file and add the following lines to its configuration.

SSLEngine On 
SSLCertificateFile /etc/letsencrypt/live/operavps.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/operavps.com/privkey.pem

Save the file and exit.

After all the file changes should be something like the following.

<VirtualHost *:80> 
ServerName operavps.com 
ServerAlias www.operavps.com 
DocumentRoot /var/www/operavps.com/ 
<Directory /var/www/operavps.com/> 
Options -Indexes +FollowSymLinks 
AllowOverride All 
</Directory> 
ErrorLog /var/log/httpd/www.operavps.com-error.log 
CustomLog /var/log/httpd/www.operavps.com-access.log combined 
</VirtualHost>

 

<VirtualHost *:443> 
ServerName operavps.com 
ServerAlias www.operavps.com 
DocumentRoot /var/www/operavps.com/ 
<Directory /var/www/operavps.com/> 
Options -Indexes +FollowSymLinks 
AllowOverride All 
</Directory> 
ErrorLog /var/log/httpd/www.operavps.com.info-error.log 
CustomLog /var/log/httpd/www.operavps.com-access.log combined

 

SSLEngine On 
SSLCertificateFile /etc/letsencrypt/live/operavps.com/fullchain.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/operavps.com/privkey.pem 
</VirtualHost>

Restart the Apache service.

$ sudo systemctl restart httpd

5- Testing Let’s Encrypt SSL Certificate

To check that everything is working properly, open your website on the browser, and view the server address. Now you should see the green lock mark at the beginning of your URL.
To get more details, click on the lock icon and click Certificate on the drop-down menu.

6- Automatic renewal of Let’s Encrypt

Let’s Encrypt certification is only valid for 90 days. The renewal process is usually done by the Certbot package, whose Renew script has been added to the /etc/cron.d directory. The script runs twice a day and will automatically renew any certificate remaining 30 days from the expiration date.

To test the automatic renewal process, just run the following command to test Certbot.

$ sudo /usr/local/bin/certbot-auto renew --dry-run

Let's Encrypt Auto Renew

If you don’t get any errors, be sure that the renewal process will be done without problems.

We have reached the end of the article. In this post, we show you how to use Certbot to install the Let’s Encrypt certification on the Apache webserver on CentOS 8 operating system. Don’t forget to share your questions and comments with us.

Leave a Reply

Your email address will not be published. Required fields are marked.


pietro Publish in January 15, 2023 at 1:04 pm

very useful, tanks a lot! It would also very useful an article on how to manage more LET'S_ENCRYPT certificates on several virtual host on same Apache. best wishes Pietro

Eugene Publish in June 10, 2021 at 9:43 pm

Hi. Thank you for the article. I am not too sure if certbot adds renew script into /etc/cron.d automatically. At least I was not able to reproduce that. There are no cronjobs added into /var/spool/cron folder ether. Could you please confirm that? How to organize auto-renew incorrect way? Cheers

taysay Publish in November 29, 2020 at 2:28 am

Awesome gift to the coding community and of course to humanity. Saved me tones of trouble, it is good to note, always check your DNS propagation status and all that

Neil Gabin Publish in October 19, 2020 at 10:57 am

Please ignore my previous comment Harry. I restored my VPS and made sure I replace all occurrences of "operavps" with my domain but still, I got these errors. Hope you can help me fix these errors, please.\\ =================== Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Error while running apachectl configtest. \\ AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty \\ The apache plugin is not working; there may be problems with your existing configuration. The error was: MisconfigurationError("Error while running apachectl configtest.\n\nAH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:\nSSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty\n",)

    Neil Gabin Publish in October 19, 2020 at 11:15 am

    me again. please ignore both my comments. I found the solution here https://github.com/certbot/certbot/issues/7397

    Harry Publish in October 19, 2020 at 11:05 am

    Hey Neil First, try this command to restart the Apache: systemctl restart httpd And then this command to regenerate the Cert: /usr/libexec/httpd-ssl-gencerts Hope this help you to resolve the issue.

Carl Hood Publish in September 22, 2020 at 5:54 pm

Hi, Harry good job on your work here on this site you so concise in work I really to say something good to you for your work as a IT person really good work everything is dead on so please just keep up with excellence. Thank you, Carl

    Harry Publish in September 24, 2020 at 11:51 am

    Hi Carl, I'm glad you found this article useful. Your feedback is very energetic and makes me publish better quality content. Thanks for your comment.