ColoCrossing
Hosting Websites on Bare Minimum VPS/Dedicated Servers

CentOS 7 LAMP Server Tutorial Part 3: Let’s Encrypt SSL

Tags: , , , , , , , , , , , Date/Time: June 13, 2019 @ 6:10 am, by Ryan Flowers

Welcome to the third installment of the CentOS 7 LAMP Server Tutorial: Modernized and Explained series. This tutorial builds on the work done in Part 1 and Part 2, so if you haven’t checked them out, now’s a good time.

In this installment we’re going to secure our new Virtual Host (lowend-tutorial.tld) with a Let’s Encrypt SSL certificate. We’ll be installing WordPress in Part 4. It’ll be good to get a SSL certificate installed prior to installing WordPress.

Let’s Encrypt, Shall We?

We’re going to look at how the Let’s Encrypt SSL certificate gets installed and how we can make use of the certificate. Let’s get started!

If you’re not familiar with Let’s Encrypt, take a moment to browse on over to their website at https://letsencrypt.org/. They are a Certificate Authority who offers free SSL certificates to anyone who can prove that they own the domain they are attempting to get a SSL certificate for.

The way they do this is via the ACME protocol. You can read more about it on their site, but it works like so: A program on the server (we’ll talk about Certbot in a moment) puts a code inside a file at http://lowend-tutorial.tld/somefilename. Then it tells Let’s Encrypt’s servers where that file is, and they go looking for it. If the URL exists and loads the coded message, then they know that the request came from the real lowend-tutorial.tld server, and they issue a certificate.

That means that http://lowend-tutorial.tld needs to be a working website before Let’s Encrypt will issue a certificate. In the last installment we had a working site even though it had no content. That will work fine for this purpose. As mentioned, the program that controls all of this is called Certbot. It’s an amazing bit of software that makes this entire process look incredibly simple. Let’s install Certbot!

Installing Certbot on CentOS 7

For CentOS 7 we need to install both Certbot and the python module that Certbot uses for integrating with Apache. Use the following command:

yum -y install certbot python2-certbot-apache

Before we can run Certbot and get a Let’s Encrypt SSL certificate, we need to do a little bit more configuration. HTTPS (SSL) connections happen on port 443 (vs port 80 for unsecured HTTP connections) and so we need to allow port 443 through the firewall. Firewalld knows about the association between port 443 and https, so we can just enable “https” in Firewalld. Paste in the following commands:

firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload

Certbot is smart and knows that we’re running the Apache web server, and what’s more it’s smart enough to know how we’re running Apache. It actually reads the configuration files and reacts accordingly. You’ll recall that we created a new Apache VirtualHost in /etc/httpd/sites-enabled/lowend-tutorial.tld.conf. This configuration file is responsible for mapping http://lowend-tutorial.tld to /home/lowend/public_html and making PHP work.

The first line of /etc/httpd/sites-enabled/lowend-tutorial.tld.conf looks like this:

<VirtualHost *:80>

This VirtualHost is specific to port 80. But SSL happens on port 443, so there will need to be a new VirtualHost for port 443. What do we need to do to configure it all? Let Certbot work its magic! At the command line, run certbot with the following command:

certbot

You’re going to need to answer some questions. If you want your website to automatically redirect to https:// you can configure that here or you can manually do it later in the websites own configuration. Here’s how it looked on our VPS:

What just Happened?

If you look in /etc/httpd/sites-enabled, you’ll see a new file, lowend-tutorial.tld-le-ssl.conf. An examination will show that the VirtualHost directive defines a VirtualHost on port 443 and that the entire VirtualHost file is wrapped in <IfModule mod_ssl.c> tags. At the bottom are some new lines pertaining to the SSL certificates. Here are the additions and changes:

<IfModule mod_ssl.c>
<VirtualHost *:443>
... 
... skipping original VirtualHost content for brevity
...
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/lowend-tutorial.cf/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lowend-tutorial.cf/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/lowend-tutorial.cf/chain.pem
</IfModule mod_ssl.c>

You can see how the configuration is SSL specific. The SSL configuration is loaded and the paths to the SSL certificate files are now included. Certbot did all of this for us, and it even restarted Apache to enact the changes. Thanks, Certbot!

Let’s see if it all worked. Load your site in a browser, then change the URL to https://. It should still load. If it doesn’t, then check carefully for ACME errors, and make sure the site loaded with http:// originally. Also be sure that DNS is pointing at the server correctly. These things account for most errors.

Nothing Lasts Forever

Like most good things, Let’s Encrypt SSL certificates don’t last forever. They last 90 days and need to be renewed. If we tell Certbot to run regularly, it’ll automagically renew any SSL certificate that is less than 29 days away from expiration. For that, let’s use a cron job.

Cron jobs are automated tasks that run on a schedule that we define. These schedules happen in a tabulated file called a “crontab”. Linux has a built in feature for modifying crontabs, but it relies on using your own text editor. We prefer nano for its ease of use vs vim (feel free to disagree, we don’t mind!) and so we’re going to set that as our editor before we start editing things:

echo "export VISUAL=nano"

Since we want this to be the case every time we log in, lets go ahead and add it to /root/.bash_profile. the .bash_profile file is a script that gets ran every time its user logs in:

echo "export VISUAL=nano" >> ~/.bash_profile

Now let’s edit the crontab and add a job that will run every 12 hours:

crontab -e

With nano open, paste in the following

1 */12 * * * certbot renew

That entry tells cron to run the “certbot renew” command on the first minute of every 12th hour of every day. If there are any certificates that need renewing, it’ll renew them for us as long as ACME is able to verify the domain again.

Next up: WordPress

And with that, we’re done. You’ve just installed Certbot, which installed a Let’s Encrypt SSL certificate on your CentOS 7 LAMP server. For more information, go check out all of the official documentation for Let’s Encrypt and Certbot. They are a treasure trove of information, especially if you need to troubleshoot things:

https://letsencrypt.org/
https://certbot.eff.org/docs/

In the next installment we’re going to install WordPress on our new LAMP server and learn how to administer it without even leaving the command line. Click Here to go to Part 4.

1 Comment

  1. I love the Tutorial on Letsencrypt SSL, but for us that are not the geeky guys I get everything done using my centos web panel,
    it also has options for installing let’s encrypt SSL on each domain,
    but I still think that knowing the barebone configuration will help me especially if I want to dig deep into any future server issues

    June 14, 2019 @ 4:08 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Quoting webhostingtalk.com URL seems to get binned consistently here, but I do peek into the spam box frequently to publish those comments.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *