How to install and use Let's Encrypt certificates on CentOS 7.
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).
We will be using CertBot for fetching the SSL/TLS certificates for your webserver.
Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol
On CentOS to install Certbot you will need to enable the EPEL (Extra Packages for Enterprise Linux) repository, to do so simply run the following commands to enable EPEL and install Certbot:
yum install -y epel-release yum install -y certbot python2-certbot-apache
CertBot has multiple ways of authenticating the certificate transaction. Stand-alone, will run its own http process, Web-root will use the web root directory, and the one we will be using, Apache, uses your installed Apache server.
Setting up a certificate for multiple domains via DNS matching is pretty straight forward.
certbot --apache -d first-domain -d my.second-domain -d some.other-domain
Edit your Apache virtual host configuration to point to the created certificate files.
Add the following to your
... SSLEngine On SSLCertificateFile /etc/letsencrypt/live/your-domain/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/your-domain/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/your-domain/fullchain.pem SSLVerifyClient None ...
Do a test run to see if all works as expected:
certbot renew --dry-run
If all runs fine, you can automate the whole renewal process by creating a cron job to run twice a day to check if your certificates need renewal.
43 6,19 * * * root certbot renew --quiet
That's it you are now setup with Let's Encrypt certificates!