Let’s Encrypt is a fantastic project put together by the non-profit Internet Security Research Group (ISRG). It is a flexible tool for setting up SSL certificates for your web sites.
To install on Centos 7 execute:
yum -y install epel-release yum -y install httpd mod_ssl python-certbot-apache
There are many ways to generate certificates for your web sites. My preferred method is to execute the following command on my web server. The following will create a cert for a web site with the names “www.mydomain.com” and “mydomain.com” If you have additional domain/site names for the web site, add them by putting in additional “-d www.domainname.com” entries onto the end of the command below. If the web site is in the home directory, update /var/www/html to point to the correct directory
certbot certonly --agree-tos --webroot --webroot-path /var/www/html --email email@example.com -d www.mydomain.com -d mydomain.com
Follow the prompts given.
When it is done, add the following lines to your configuration file for your web server. Replace www.mydomain.com with the correct name for your web server
SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem SSLCACertificateFile /etc/letsencrypt/live/www.mydomain.com/chain.pem
(I am going to assume you are familiar with how to set up apache to use SSL certs. If you are not, then you need to stop and go read up on that as the above lines are not the only things you need to set up a secure web site)
If you are note sure if your web server is set up correctly or this is not a production server add
to the “certbot certonly” command above to get a test certificate.
Important note: If you request a production certificate too many times with problems with your web server you will be locked out of making certificate requests for several hours. the –dry-run option is a good way to make sure things are working correctly before you request a production certificate.
Renewing the Certificates
The certificates are only good for 90 days so you need to set up to update the certificates. Create a file named /etc/cron.weekly/certrenew and put the following lines in it. This will renew all certs you have on this system
#!/bin/bash /bin/certbot renew
certbot revoke --cert-path /etc/letsencrypt/archive/DOMAINNAME/cert1.pem
If the cert is expired you will have to use the command
then follow the prompts