Let's Encrypt

How to install and use Let's Encrypt certificates on CentOS 7.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

Installing on CentOS 7

We will be using CertBot for fetching the SSL/TLS certificates for your webserver.

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol

On CentOS to install Certbot you will need to enable the EPEL (Extra Packages for Enterprise Linux) repository, to do so simply run the following commands to enable EPEL and install Certbot:

yum install -y epel-release
yum install -y certbot python2-certbot-apache

Setup for your domain(s)

CertBot has multiple ways of authenticating the certificate transaction. Stand-alone, will run its own http process, Web-root will use the web root directory, and the one we will be using, Apache, uses your installed Apache server.

Setting up a certificate for multiple domains via DNS matching is pretty straight forward.

certbot --apache -d first-domain -d my.second-domain -d some.other-domain

Configure Apache

Edit your Apache virtual host configuration to point to the created certificate files.
Add the following to your /etc/httpd/conf.d/your-vhost.conf:

...
SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/your-domain/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your-domain/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/your-domain/fullchain.pem
    SSLVerifyClient None
...

Test it

Do a test run to see if all works as expected:

certbot renew --dry-run

Create a cronjob

If all runs fine, you can automate the whole renewal process by creating a cron job to run twice a day to check if your certificates need renewal.
Create /etc/cron.d/letsencrypt:

43 6,19 * * * root certbot renew --quiet

Done

That's it you are now setup with Let's Encrypt certificates!

...

Read more posts by this author.

The Netherlands