How to Install Let’s Encrypt SSL Certificate to Secure Apache on RHEL/CentOS 7/6

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

10 Responses

  1. Akash Sharma says:

    Hi,

    I have followed your instructions above but i stuck.

    when i hit below command it install package and asked me to enter e-mail address after enter e-mail address below is full details:

    Can anybody help me out as i have no idea about the error.

    [[email protected] letsencrypt]# ./letsencrypt-auto –apache -d demotoday.com

    {Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator apache, Installer apache
    Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
    cancel): [email protected]

    ——————————————————————————-
    Please read the Terms of Service at
    https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
    agree in order to register with the ACME server at
    https://acme-v01.api.letsencrypt.org/directory
    ——————————————————————————-
    (A)gree/(C)ancel: A

    ——————————————————————————-
    Would you be willing to share your email address with the Electronic Frontier
    Foundation, a founding partner of the Let’s Encrypt project and the non-profit
    organization that develops Certbot? We’d like to send you email about EFF and
    our work to encrypt the web, protect its users and defend digital rights.
    ——————————————————————————-
    (Y)es/(N)o: N
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for demotoday.com
    Waiting for verification…
    Cleaning up challenges
    Error while running apachectl graceful.

    Job for httpd.service invalid.

    Unable to restart apache using [‘apachectl’, ‘graceful’]
    Failed authorization procedure. demotoday.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://demotoday.com/.well-known/acme-challenge/YXy_G1Ii2rJOFsVRJfOycRoJoWDGhlK6B0tyiH9jQyo: ”

    <ht"

    IMPORTANT NOTES:
    – The following errors were reported by the server:

    Domain: demotoday.com
    Type: unauthorized
    Detail: Invalid response from
    http://demotoday.com/.well-known/acme-challenge/YXy_G1Ii2rJOFsVRJfOycRoJoWDGhlK6B0tyiH9jQyo:
    "

    <ht"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    – Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal. }

  2. Kris Hayes says:

    Hey, thanks for the tutorial, everything seams to have installed fine however I get a privacy error on Chrome when I try and access my site on https. Is there something I’ve missed?

  3. Indi says:

    Thanks for the great article. Worked flawlessly with the first domain I tried. However I came up with a problem when I went to do it for another domain on my VPS. Substep 10 (where you are asked for which vhost), I get a warning msg ‘note: conf files with multiple vhosts are not yet supported’. Is there any way around this?

    • Matei Cezar says:

      You can try to split the configuration files for each vhost. Create one .conf file file for each domain and one for each port 80 and port 443 .

  4. Neil Edwards says:

    Great article, thank you!!

    I have a small question regarding sub-step 19 where it says “Use your domain name as a positional parameter for the script.”. If you originally requested the certificate for multiple sub domains in sub-step 7 (ie. -d sub1.domain.com -d sub2.domain.com), would you declare those multiple domains as your positional parameter, or would you have to schedule two separate cron jobs to renew each sub domain? or do you just declare one sub domain and it knows to renew that cert with the Subject Alt Names?

  5. nda888 says:

    Hi,

    I followed the guide and finished the setup

    but unfortunately ,

    https://www.ssllabs.com/ssltest/analyze.html?d=abc.gkxim.com#whyNotTrusted

    ssllabs alert “This server’s certificate is not trusted”

    I deploy on AWS

    Please help

    Thanks,
    An,

    • Matei Cezar says:

      From the link it seems there is a problem with your server FQDN and certificate Common Name value. Try to generate a new certificate and make sure your server FQDN has the same value for certificate’s Common Name. Also, seems to me that your web server is behind a firewall: ip-10-145-137-246 MISMATCH.

  6. Kicko says:

    Great, thank you… but you missed your_domain.tld in the cronjob. Correct:

    0 1 1 */2 * /usr/local/bin/le-renew-centos your_domain.tld >> /var/log/your_domain.tld-renew.log 2>&1

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.