How to Configure letsencrypt with Apache on Centos 7 Server
Contents
How to Configure letsencrypt with Apache on Centos 7 Server
With all the talk about FREE ssl certificates and how Google is trying to move towards a more secure internet.
I thought it was time to setup an SSL Certificate with Letsencrypt on Centos 7
Install letsencrypt
Get everything using Git
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto --help
Now I must note this was done on a Fresh VPS with nothing else installed.
I did have to stop firewalld to get everything to function correctly.
systemctl stop firewalld
Generating the SSL Certificate
Now since I do not have apache or anything else installed yet, I did certificates only in standalone.
./letsencrypt-auto certonly --standalone --email [email protected] -d briansnelson.com -d www.briansnelson.com
You will get a notice that everything has been completed and where can find your ssl certificates
To view your ssl certificates
cd /etc/letsencrypt/live/www.briansnelson.com/ ls
Output:
cert.pem chain.pem fullchain.pem privkey.pem
Clean up
Also do not forget to start the firewall backup
systemctl start firewalld
Install Apache and Configure to LetsEncrypt Certificates
Installing Apache with mod_ssl:
yum install httpd mod_ssl
Allow Port 80 and 443 via Firewalld
Allow the default HTTP and HTTPS port, ports 80 and 443, through firewalld:
firewall-cmd --permanent --add-port=80/tcp firewall-cmd --permanent --add-port=443/tcp
And reload the firewall:
firewall-cmd --reload
Configure Apache to Start on Boot
First start Apache
systemctl start httpd
Be sure Apache is set to start at Boot
systemctl enable httpd
Configure Apache to Use LetsEncrypt SSL Certificates
Edit the ssl.conf file
vim /etc/httpd/conf.d/ssl.conf
Find the following lines and set them with the correct values:
SSLCertificateFile /etc/letsencrypt/live/briansnelson.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/briansnelson.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/briansnelson.com/fullchain.pem
I would also suggest making the following changes for better compliance:
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLProtocol all -SSLv2 -SSLv3 -TLSv1