Tag Archives: lets encrypt on apache

Let’s Encrypt SSL certificate on Apache YUM based Linux system

Learn to configure the free, open-source, secure Let’s Encrypt SSL certificate on Apache webserver running on YUM based Linux server.

Lets Encrypt installation on Apache

What is Let’s Encrypt

Let’s Encrypt is free, open-source, and automatic SSL CA (Certificate Authority). Its managed by ISRG (Internet Security Research Group). SSL certificate always involved a cost which is recurring every year for renewal. Let’s encrypt aimed at open source and free SSL. This is an ideal choice for small websites, businesses which have less or no critical data on their websites and looking for SSL certificates.

If you are running a personal blog then SSL is essential for having a good search engine reputation. But before you dive into you need one dedicated IP for your domain name. If you are on shared hosting you are likely not having a dedicated IP. So for Let’s Encrypt SSL, you need to buy IP for your domain name.

Lets Encrypt SSL certificate

Let’s encrypt provides you fee SSL after your domain name validity which lasts for 3 months. You have to manually renew it every 3 months. The renewal process can be automatized too. Certbot is currently serving you deploying https on your server and configuring Let’s encrypt certs for you.

Before run into installation you should have these pre-requisite completed :

  1. Install EPEL repo
  2. You should have a webserver running
  3. The webpage is being displayed on your domain name (port 80) properly

Let’s encrypt installation on Apache & YUM Linux system

First of all, you need to clone git repository of letsencrypt. For that install package ‘git’ first. Once done run below git clone command :

# git clone https://github.com/letsencrypt/letsencrypt
Initialized empty Git repository in /root/letsencrypt/.git/
remote: Counting objects: 45178, done.
remote: Compressing objects: 100% (164/164), done.
remote: Total 45178 (delta 112), reused 0 (delta 0), pack-reused 45014
Receiving objects: 100% (45178/45178), 13.38 MiB | 2.15 MiB/s, done.
Resolving deltas: 100% (32345/32345), done.

Now goto letsencrypt directory which is created in your present directory by clone command. Under that directory run below command :

# ./letsencrypt-auto  certonly --standalone

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):ktwebtest.ddns.net
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for ktwebtest.ddns.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ktwebtest.ddns.net/fullchain.pem. Your cert
   will expire on 2017-07-02. To obtain a new or tweaked version of
   this certificate in the future, simply run letsencrypt-auto again.
   To non-interactively renew *all* of your certificates, run
   "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You can see above, after supplying domain name, Certbot creates a CSR file on its own, generates a key file, and fetch SSL certificate too. All paths are visible in the output. All files path are :

Key files directory/etc/letsencrypt/keys/
CSR files directory/etc/letsencrypt/csr/
SSL files directory/etc/letsencrypt/live/

It also shows you when your certificate going to expire. And command you can use to renew your certificate. Now you can follow the tutorial of how to install SSL which you obtained in the above step.

You can even automatize this SSL installation steps by using command :

# ./letsencrypt-auto  -d ktwebtest.ddns.net --apache

With this command, it will create key, CSR, fetch SSL, install SSL on your domain webserver!

Certificate renewal

You can renew certificate manually using :

# ./letsencrypt-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ktwebtest.ddns.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/ktwebtest.ddns.net/fullchain.pem (skipped)
No renewals were attempted.


As you can see, it will scan through all fetched let’s encrypt certificates on the server and their due date. If found due, those certificates will be renewed in no time!

If you want to renew certificate regardless of the due date then you can use force renew as below :

# ./letsencrypt-auto renew  --force-renewal

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ktwebtest.ddns.net.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for ktwebtest.ddns.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ktwebtest.ddns.net/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ktwebtest.ddns.net/fullchain.pem (success)

You can even schedule crontab with a little bit of scripting to have an automatic renewal of certificates.