How to Secure Apache with Let’s Encrypt on CentOS 7

SSL certificates are used to provide extra security for users accessing your application. It will encrypt the traffic between server and client. Let’s Encrypt is a Certificate Authority (CA). It provides free TLS/SSL certificates for enabling encrypted HTTPS on web servers. It’s a automated, free and open certificate authority. In this tutorial, we will cover steps, how to secure apache with Let’s Encrypt on CentOS 7 by installing free Let’s Encrypt SSL certificate.

Install Let’s Encrypt on CentOS 7#

Let’s Encrypt SSL certificates are valid for 90 days from date of issue. Now a days, Let’s Encrypt SSL certificates are trusted by all major browsers today.

Prerequisites#

• A CentOS 7 running system with a non-root user with sudo privileges.
• Apache should installed and configured, as shown in this tutorial.
• Have an apache virtual host for your domain, as shown in this tutorial.
• Your domain name should pointing to your server IP address.

Install Certbot Client#

First, you need to install Certbot client package to your server to obtain a Let’s Encrypt SSL certificate. The Certbot is a tool used for obtaining SSL certificates from Let’s Encrypt and auto-enabling HTTPS on your server.

The certbot package is provided by EPEL. So We need to enable EPEL repository by typing :

sudo yum install epel-release

Now install certbot client by executing following command :

sudo yum install httpd mod_ssl python-certbot-apache

Check the certbot installation by type :

certbot --version

If installation is successful then it will show you version of certbot.

Setup Firewall#

If you are not running a firewall, you can skip ahead.

To install SSL on your web server you should make sure that port 80 and 443 are open in your firewall. You can open ports inside firewalld using following commands:

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

If on your server iptables is running then you should execute below commands to enable traffic on port 80 and port 443.

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Setting up Let’s Encrypt SSL on Apache#

Now everything is ready so we will request for obtain a SSL certificate from Let’s Encrypt. To request using certbot is a very straightforward process. Let’s Encrypt will validate for ownership of the domain and if successful it will issue a SSL for a requested domain. There are multiple ways to obtain a Let’s Encrypt certificate through plugins. Run below command to request SSL:

sudo certbot --apache -d example.com -d www.example.com

In above command, it will request SSL certificate for both example.com and www.example.com domains. If you are executing certbot for first time, it will prompt you to enter an email address, which can be use for sending email alerts related to SSL renewal and expiration. It will also ask for agree to the terms of service.

After doing so, certbot will communicate with the Let’s Encrypt server and then it will run a challenge to verify that you own the domain for which you’re requesting a certificate.

If validation got success, it will ask you how you’d like to configure your HTTPS settings:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
 1: No redirect - Make no further changes to the webserver configuration.
 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
 new sites, or if you're confident your site works on HTTPS. You can undo this
 change by editing your web server's configuration.
 Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice and continue to next step. We recommend you to choose Redirect option if you don’t want to change the configuration file manually. At the end, It will show you successful message.

Finally, your domain is secure with Let’s Encrypt SSL certificate. You can check by visiting your site with HTTPS protocol.

More Secure SSL Settings for Apache#

Default SSL configuration of CentOS with Apache version is outdated so it is less secure and create security issues. So we need to change some settings to make it more secure.

To configure more secure SSL-related options, open the ssl.conf file.

sudo vi /etc/httpd/conf.d/ssl.conf

First, you should find SSLProtocol and SSLCipherSuit lines inside file and comment out them or you can delete those two lines.

# SSLProtocol all -SSLv2
. . .
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

Now append the following lines after VirtualHost block in /etc/httpd/conf.d/ssl.conf file.

. . .
. . .

# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11

Next, save and close file. We need to restart Apache service to take changes in effect. Run below command:

sudo systemctl restart httpd

Auto renewing Let’s Encrypt SSL certificate#

Let’s Encrypt SSL certificates are valid for 90 days so you need to renew it before it expire. To automatically renew the certificates before they expire, we will create a cronjob which will runs twice in a day and will automatically renew any certificate 30 days before its expiration.

Let’s edit the crontab to create a new job by below command:

sudo crontab -e

Add the following lines at end of file so it will run twice in a day:

0 */12 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

Save and close the file. To take in effect Apache will be automatically restarted if any certificates are renewed.

You can test renewal process, you can use the certbot command followed by the –dry-run switch:

sudo certbot renew --dry-run

If there is no error, it means that the renewal process is successful.

Conclusion#

In this guide, you learned how to secure Apache with Let’s Encrypt SSL on CentOS 7 using Certbot client. At the end of the tutorial you have set up a cronjob for automatic certificate renewal. If you want to learn more about how to use Certbot, their documentation is a good starting point.