Step 1: Install certbot and obtain a certificate
sudo yum install epel-releasesudo yum install certbot python2-certbot-apache mod_sslsudo certbot — apache -d example.com -d www.example.com
You must add all your domains and subdomains in one command.
(From digital ocean🙂 You will also be able to choose between enabling both http
and https
access or forcing all requests to redirect to https
. For better security, it is recommended to choose the option 2: Redirect
if you do not have any special need to allow unencrypted connections. Select your choice then hit ENTER
.
Error: Port 80 is required
Let’s encrypt requires port 80 to redirect to your server. So configure that redirection in your apache config.
vi /etc/httpd/conf/httpd.conf
Add the following:
<VirtualHost *:80>ServerName example.comRedirect permanent / https://example.com/</VirtualHost>
Rename your public ServerName (the one outside of this VirtualHost container) as well:
ServerName localhost → ServerName example.com
Step 2: Configure your default SSL configuration
vi /etc/httpd/conf.d/ssl.conf
Replace the following lines:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt →
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key →
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile → SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
Error: too many redirects
Make sure that you only have a single port listening to 443.
grep -r 443 /etc/httpd
If you are already listening to 443 in ssl.conf, comment out Listen 443 in httpd.conf.
/etc/httpd/conf/httpd.conf:# Listen 443/etc/httpd/conf/httpd-le-ssl.conf:<VirtualHost *:443>/etc/httpd/conf.d/ssl.conf:Listen 443 https/etc/httpd/conf.d/ssl.conf:<VirtualHost _default_:443>
Step 3: Check your certificate
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
Step 4: Set Up Auto Renewal
sudo crontab -e
Press i and add the following:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
(From digital ocean🙂 This will create a new cron job that will execute at noon and midnight every day. Adding an element of randomness to your cron jobs will ensure that hourly jobs do not all happen at the same minute, causing a server spike; python -c 'import random; import time; time.sleep(random.random() * 3600)'
will select a random minute within the hour for your renewal tasks.
Press ‘Esc’, type 😡 to save, and check to see it is added to your list of cron jobs:
sudo crontab -l