Learn to configure the free, open-source, secure Let’s Encrypt SSL certificate on Apache webserver running on YUM based Linux server.
What is Let’s Encrypt
Let’s Encrypt is free, open-source, and automatic SSL CA (Certificate Authority). Its managed by ISRG (Internet Security Research Group). SSL certificate always involved a cost which is recurring every year for renewal. Let’s encrypt aimed at open source and free SSL. This is an ideal choice for small websites, businesses which have less or no critical data on their websites and looking for SSL certificates.
If you are running a personal blog then SSL is essential for having a good search engine reputation. But before you dive into you need one dedicated IP for your domain name. If you are on shared hosting you are likely not having a dedicated IP. So for Let’s Encrypt SSL, you need to buy IP for your domain name.
Lets Encrypt SSL certificate
Let’s encrypt provides you fee SSL after your domain name validity which lasts for 3 months. You have to manually renew it every 3 months. The renewal process can be automatized too. Certbot is currently serving you deploying https on your server and configuring Let’s encrypt certs for you.
Before run into installation you should have these pre-requisite completed :
- Install EPEL repo
- You should have a webserver running
- The webpage is being displayed on your domain name (port 80) properly
Let’s encrypt installation on Apache & YUM Linux system
First of all, you need to clone git repository of letsencrypt. For that install package ‘git’ first. Once done run below git clone command :
# git clone https://github.com/letsencrypt/letsencrypt
Initialized empty Git repository in /root/letsencrypt/.git/
remote: Counting objects: 45178, done.
remote: Compressing objects: 100% (164/164), done.
remote: Total 45178 (delta 112), reused 0 (delta 0), pack-reused 45014
Receiving objects: 100% (45178/45178), 13.38 MiB | 2.15 MiB/s, done.
Resolving deltas: 100% (32345/32345), done.
Now goto letsencrypt directory which is created in your present directory by clone command. Under that directory run below command :
# ./letsencrypt-auto certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):ktwebtest.ddns.net
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for ktwebtest.ddns.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/ktwebtest.ddns.net/fullchain.pem. Your cert
will expire on 2017-07-02. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You can see above, after supplying domain name, Certbot creates a CSR file on its own, generates a key file, and fetch SSL certificate too. All paths are visible in the output. All files path are :
Key files directory: /etc/letsencrypt/keys/
CSR files directory: /etc/letsencrypt/csr/
SSL files directory: /etc/letsencrypt/live/
It also shows you when your certificate going to expire. And command you can use to renew your certificate. Now you can follow the tutorial of how to install SSL which you obtained in the above step.
You can even automatize this SSL installation steps by using command :
# ./letsencrypt-auto -d ktwebtest.ddns.net --apache
With this command, it will create key, CSR, fetch SSL, install SSL on your domain webserver!
Certificate renewal
You can renew certificate manually using :
# ./letsencrypt-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ktwebtest.ddns.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/ktwebtest.ddns.net/fullchain.pem (skipped)
No renewals were attempted.
As you can see, it will scan through all fetched let’s encrypt certificates on the server and their due date. If found due, those certificates will be renewed in no time!
If you want to renew certificate regardless of the due date then you can use force renew as below :
# ./letsencrypt-auto renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ktwebtest.ddns.net.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for ktwebtest.ddns.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ktwebtest.ddns.net/fullchain.pem
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/ktwebtest.ddns.net/fullchain.pem (success)
You can even schedule crontab with a little bit of scripting to have an automatic renewal of certificates.