How to Secure Apache with Let’s Encrypt SSL Certificate on CentOS 8

Securing your web server is always one of the key factors that you should consider before going live with your website. A security certificate is critical for securing traffic sent from web browsers to web servers and in so doing, it’ll inspire users to exchange data with your website in the full knowledge that the traffic sent is secured.

In most cases, security certificates are paid for and renewed annually. Let’s Encrypt certificate is a free, open, and automated certificate authority that you can use to encrypt your site. The certificate expires after every 90 days and auto-renews at absolutely no cost.

Recommended Read: How to Secure Nginx with Let’s Encrypt on CentOS 8

In this article, we will show you how you can install the Let’s Encrypt Certificate with Certbot for the Apache web server and later, configure the certificate to renew automatically on CentOS 8.

Prerequisites

Before you get started, ensure that you have the following in place:

1. An instance of CentOS 8 server with Apache HTTP web server installed and running. You can confirm that your apache web server is up and running.

$ sudo dnf install httpd
$ sudo systemctl status httpd
Check Apache Web Server Status
Check Apache Web Server Status

2. A Fully Qualified Domain Name (FQDN) pointing to your web server’s public IP address on your DNS web hosting provider. For this guide, we will use linuxtechwhiz.info pointing to the server’s IP 34.67.63.136.

Domain A Record Pointing to Server IP Address
Domain A Record Pointing to Server IP Address

Step 1. Install Certbot in CentOS 8

Certbot is a client that automates the installation of the security certificate. It fetches the certificate from Let’s encrypt authority and deploys it on your web server without much of a hassle.

Certbot is absolutely free and will enable you to install the certificate in an interactive way by generating instructions based on your web server’s configuration.

Before downloading the certbot, first, install packages that are necessary for the configuration of an encrypted connection.

We will start off by installing the EPEL repository which provides high-quality additional packages for RHEL-based systems:

$ sudo dnf install epel-release

Next, install the mod_ssl and openssl packages.

$ sudo dnf install mod_ssl openssl
Install Mod_SSL on CentOS 8
Install Mod_SSL on CentOS 8

Once all the dependencies have been installed, install Certbot and the Apache module for Certbot.

$ sudo dnf install certbot python3-certbot-apache
Install Certbot in CentOS
Install Certbot in CentOS

The command installs Certbot, the Apache module for Certbot, and other dependencies.

Step 2: Create an Apache Virtual Host

The next step will be to create a virtual host file for our domain – linuxtechwhiz.info. Begin by first creating the document root where you will place your HTML files.

$ sudo mkdir /var/www/linuxtechwhiz.info.conf

Create a test index.html file as shown.

$ sudo echo “<h1>Welcome to Apache HTTP server</h1>” > /var/www/linuxtechwhiz.info/index.html

Next, create a virtual host file as shown.

$ sudo vim /etc/httpd/conf.d/linuxtechwhiz.info

Append the configuration below.

<VirtualHost *:443>
  ServerName linuxtechwhiz.info
  ServerAlias www.linuxtechwhiz.info
  DocumentRoot /var/www/linuxtechwhiz.info/
  <Directory /var/www/linuxtechwhiz.info/>
      Options -Indexes +FollowSymLinks
      AllowOverride All
  </Directory>
  ErrorLog /var/log/httpd/www.linuxtechwhiz.info-error.log
  CustomLog /var/log/httpd/www.linuxtechwhiz.info-access.log combined
</VirtualHost>

Save and exit.

Assign the permissions to the Document root as shown.

$ sudo chown -R apache:apache /var/www/linuxtechwhiz.info

For the changes to come into effect, restart the Apache service.

$ sudo systemctl restart httpd

Step 3: Install Let’s Encrypt SSL Certificate on CentOS 8

Now run certbot as shown to commence the installation of the Let’s Encrypt certificate.

$ sudo certbot --apache -d domain.com

In our case, this will be:

$ sudo certbot --apache -d linuxtechwhiz.info

The command will take you through a series of prompts to enable you to configure Lets Encrypt for your domain. Be sure to provide your email address, Accept the Terms of Service and specify the domain names you wish to use the HTTPS protocol which is the encrypted version of HTTP.

Let's Encrypt SSL Certification Installation on Domain
Let’s Encrypt SSL Certification Installation on Domain
Let's Encrypt SSL Certification Info
Let’s Encrypt SSL Certification Info

If all went well, you should get a congratulatory message at the end informing you that your site has been secured using Let’s Encrypt certificate. Your certificate’s validity will also be displayed – which is usually after 90 days after deployment.

Now head back to your virtual host file and append the following lines of configuration.

SSLEngine On
 SSLCertificateFile    /etc/letsencrypt/live/linuxtechwhiz.info/fullchain.pem
 SSLCertificateKeyFile  /etc/letsencrypt/live/linuxtechwhiz.info/privkey.pem

Save and exit.

The final Apache virtual host configuration will look something like this:

<VirtualHost *:443>
  ServerName linuxtechwhiz.info
  ServerAlias www.linuxtechwhiz.info
  DocumentRoot /var/www/linuxtechwhiz.info/
  <Directory /var/www/linuxtechwhiz.info/>
      Options -Indexes +FollowSymLinks
      AllowOverride All
  </Directory>
  ErrorLog /var/log/httpd/www.linuxtechwhiz.info-error.log
  CustomLog /var/log/httpd/www.linuxtechwhiz.info-access.log combined

 SSLEngine On
 SSLCertificateFile    /etc/letsencrypt/live/linuxtechwhiz.info/fullchain.pem
 SSLCertificateKeyFile  /etc/letsencrypt/live/linuxtechwhiz.info/privkey.pem
</VirtualHost>

Once again, restart Apache.

$ sudo systemctl restart httpd

Step 4: Verifying the Let’s Encrypt SSL Certificate

To verify that everything is working, launch your browser and visit your server’s IP address. You should now see a padlock symbol at the beginning of the URL.

Verify Let's Encrypt SSL Certificate
Verify Let’s Encrypt SSL Certificate

To get more details, click on the padlock symbol & click on the ‘Certificate’ option on the pull-down menu that appears.

Check Let's Encrypt SSL Certificate
Check Let’s Encrypt SSL Certificate

The certificate details will be displayed on the next pop-up window.

Let's Encrypt SSL Certificate Info
Let’s Encrypt SSL Certificate Info

Also, you can test your server at https://www.ssllabs.com/ssltest/ and your site should get an ‘A’ grade as shown.

Check Let's Encrypt SSL Certificate Rating
Check Let’s Encrypt SSL Certificate Rating

Step 5: Auto-Renew Let’s Encrypt SSL Certificate

Let’s Encrypt is only valid for 90 days only. Usually, the renewal process is carried out by the certbot package which adds a renew script to /etc/cron.d directory. The script runs twice daily and will automatically renew any certificate within 30 days of expiry.

To test the auto-renewal process, conduct a dry run test with certbot.

$ sudo /usr/local/bin/certbot-auto renew --dry-run

If no errors were encountered, then it implies you are good to go.

This brings us to the end of this guide. In this guide, we demonstrated how you can use certbot to install and configure the Let’s Encrypt certificate on Apache webserver running on a CentOS 8 system.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

James Kiarie
This is James, a certified Linux administrator and a tech enthusiast who loves keeping in touch with emerging trends in the tech world. When I'm not running commands on the terminal, I'm taking listening to some cool music. taking a casual stroll or watching a nice movie.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

14 Comments

Leave a Reply
  1. Failed redirect for domain.com – Unable to set the redirect enhancement for domain.com.

    Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

    can you please help me here?

    Reply
  2. THIS IS A MISLEADING GUIDE!!
    It’s designed for Ubuntu, NOT Centos!
    You don’t create directories named sites-available and sites-enabled on a Centos environment, you got conf.d for that.

    Reply
    • Hey Tal. I think you are greatly mistaken, There’s nowhere in the guide where we have created the directories called sites-available and sites-enabled. Kindly go through the article once more.

      Reply
  3. This helped. Though I ended up with online one sub-folder in “/etc/letsencrypt/live/” but I am installing SSL for multiple domains.

    Reply
  4. I am getting the following error when installing Let’s Encrypt SSL on my domain:

    Waiting for verification…
    Challenge failed for domain
    dns-01 challenge for domain.com
    Cleaning up challenges
    Some challenges have failed.

    Reply
    • Hey Sima, ensure that you have an A record for your domain and that your virtual host configuration file is correct: There is an error in step 2 correct as follows.

      $ sudo vim /etc/httpd/conf.d/domain.com.conf
      
      Reply
  5. I struggled with this, as it couldn’t’ find any domains and unable to find a virtual host listening on port 80.

    This line:

    $ sudo vim /etc/httpd/conf.d/linuxtechwhiz.info
    

    Changed to:

    $ sudo vim /etc/httpd/conf.d/linuxtechwhiz.info.conf 
    

    Now it can see my domains when I run set up

    Reply
      • What I also neglected to say is great article really helped me! I also think there is a cron tab command to renew the certificate as it only lasts three months?

        Reply
  6. A great article, sir is it possible wildcard SSL certificate with Let’s Encrypt for all my auto-generate subdomain (*.example.com)?

    Reply
  7. Installing certbot this way is not recommended by RH.

    Instead of the manual certbot install, it may be better to use the epel repo rpm, so it gets updated.

    # yum config-manager --set-enabled PowerTools
    # dnf install epel-release
    # dnf install certbot python3-certbot-apache
    
    Reply
  8. How if I want to try on a local server with local domain? And how if I use Apache reverse proxy server, in which server I have to install the certbot? The virtual host is configured both on the reverse proxy server and backend server

    Reply
    • Hey Nugroho. Firstly, you need to have a domain registered with a web hosting company. Thereafter, point the domain to the public IP address of your local server. In this case, port forwarding is required to link the private IP of your server with the public IP address given to you by the ISP.

      Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.