Category Archives: Administration

How to enable SSL on your CentOS server with Apache and Let’s Encrypt

Step 1: Install certbot and obtain a certificate

sudo yum install epel-releasesudo yum install certbot python2-certbot-apache mod_sslsudo certbot — apache -d example.com -d www.example.com

You must add all your domains and subdomains in one command.

(From digital ocean🙂 You will also be able to choose between enabling both http and https access or forcing all requests to redirect to https. For better security, it is recommended to choose the option 2: Redirect if you do not have any special need to allow unencrypted connections. Select your choice then hit ENTER.

Error: Port 80 is required

Let’s encrypt requires port 80 to redirect to your server. So configure that redirection in your apache config.

vi /etc/httpd/conf/httpd.conf

Add the following:

<VirtualHost *:80>ServerName example.comRedirect permanent / https://example.com/</VirtualHost>

Rename your public ServerName (the one outside of this VirtualHost container) as well:

ServerName localhostServerName example.com

Step 2: Configure your default SSL configuration

vi /etc/httpd/conf.d/ssl.conf

Replace the following lines:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt →

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

SSLCertificateChainFileSSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

Error: too many redirects

Make sure that you only have a single port listening to 443.

grep -r 443 /etc/httpd

If you are already listening to 443 in ssl.conf, comment out Listen 443 in httpd.conf.

/etc/httpd/conf/httpd.conf:# Listen 443/etc/httpd/conf/httpd-le-ssl.conf:<VirtualHost *:443>/etc/httpd/conf.d/ssl.conf:Listen 443 https/etc/httpd/conf.d/ssl.conf:<VirtualHost _default_:443>

Step 3: Check your certificate

https://www.ssllabs.com/ssltest/analyze.html?d=example.com

Step 4: Set Up Auto Renewal

sudo crontab -e

Press i and add the following:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

(From digital ocean🙂 This will create a new cron job that will execute at noon and midnight every day. Adding an element of randomness to your cron jobs will ensure that hourly jobs do not all happen at the same minute, causing a server spike; python -c 'import random; import time; time.sleep(random.random() * 3600)' will select a random minute within the hour for your renewal tasks.

Press ‘Esc’, type 😡 to save, and check to see it is added to your list of cron jobs:

sudo crontab -l