Sign In
Sign In

How To Secure Apache with Let's Encrypt on CentOS 9

How To Secure Apache with Let's Encrypt on CentOS 9
Hostman Team
Technical writer
Apache
29.08.2024
Reading time: 5 min

Securing your Apache web server with SSL is essential for protecting data and ensuring user trust. Let's Encrypt provides a free and automated way to obtain and install SSL certificates. This guide will walk you through the steps to secure Apache with Let's Encrypt on CentOS 9.

In this tutorial, you will learn how to install and secure Apache with Let's Encrypt SSL certificates on a CentOS 9 server. This includes installing Apache, obtaining an SSL certificate from Let's Encrypt, configuring Apache to use the SSL certificate, and automating certificate renewal.

Prerequisites

Before you begin, ensure you have the following:

  • A CentOS 9 cloud server with a sudo non-root user.

  • A registered domain name pointing to your server's IP address.

Installing Apache on CentOS 9

First, update your package index and install Apache:

sudo dnf update
sudo dnf install httpd

Configuring Apache Virtual Host

To serve your website, you need to configure a virtual host for your domain.

1. Create a Directory for Your Website

Create a directory where your website files will be stored. For example, if your domain is example.com:   

sudo mkdir -p /var/www/example.com/html
sudo chown -R $USER:$USER /var/www/example.com/html
sudo chmod -R 755 /var/www/example.com

2. Create a Test Page

Create a simple test page to ensure your virtual host is working:

echo '<html><head><title>Welcome to Example.com!</title></head><body><h1>Success! The Example.com server block is working!</h1></body></html>' > /var/www/example.com/html/index.html

3. Create the Virtual Host Configuration File

Create a configuration file for your virtual host:  

sudo vi /etc/httpd/conf.d/example.com.conf

Add the following configuration:    

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com

DocumentRoot /var/www/example.com/html

<Directory /var/www/example.com/html>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

ErrorLog /var/log/httpd/example.com_error.log
CustomLog /var/log/httpd/example.com_access.log combined
</VirtualHost>

Replace example.com with your actual domain name.

4. Test the Configuration 

Run the following command to check for syntax errors:

sudo apachectl configtest

If the output is `Syntax OK`, you can proceed.

5. Restart Apache

Restart Apache to apply the new configuration:

sudo systemctl start httpd

Now check the status of the httpd service:

sudo systemctl status httpd

Image1

Now, you can access your website by typing your domain name in the web browser (e.g., http://example.com). If you see the test page, your Apache server is configured correctly.

Enable Apache to start on boot:

sudo systemctl enable httpd

Installing Certbot

Certbot is a straightforward tool that simplifies the process of obtaining a certificate from Let's Encrypt and installing it on your web server. To get started with Certbot, you first need to activate the EPEL repository. After that, you can install the Certbot Apache plugin by running these commands:

sudo dnf install epel-release

Install Certbot and the Apache plugin:

sudo dnf install certbot python3-certbot-apache

Obtaining an SSL Certificate

Once Certbot is set up, you can proceed to request an SSL certificate for your domain. Execute the following command and follow the interactive prompts:

sudo certbot --apache -d your_domain -d www.your_domain

Throughout the process, you'll be asked to enter an email address for notifications and to accept the terms of service. Additionally, you'll have the option to redirect HTTP traffic to HTTPS, which is recommended for enhanced security.

Verifying HTTPS Configuration

Once the certificate is issued, Certbot will automatically adjust your Apache configuration. To confirm these changes, reload Apache with the following command:

sudo systemctl restart httpd

Next, open your web browser and visit your domain with https://. You should see a lock icon, signifying that your site is now secure.

Automating Certificate Renewal

Let's Encrypt certificates are valid for 90 days. To automate the renewal process, create a cron job:

sudo crontab -e

Add the following line to renew the certificate automatically:

0 0 * * * /usr/bin/certbot renew --quiet

This cron job will run daily at midnight, and Certbot will renew the certificate if it is within 30 days of expiration.

Configuring Apache to Use Let's Encrypt SSL

Certbot automatically configures Apache to use the obtained SSL certificate. However, you can manually adjust the configuration if needed. Open the Apache SSL configuration file:

sudo vi /etc/httpd/conf.d/ssl.conf

Ensure the following lines are present and correctly configured:

SSLCertificateFile /etc/letsencrypt/live/your_domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your_domain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/your_domain/chain.pem

Restart Apache to apply the changes:

sudo systemctl restart httpd

Testing SSL Configuration

Test your SSL configuration using an online tool like SSL Labs' SSL Test. Enter your domain to ensure everything is set up correctly.

Troubleshooting Common Issues

Issue: Certbot Command Not Found

If you encounter a "command not found" error when running Certbot, ensure it is installed correctly and try reinstalling:

sudo dnf install certbot python3-certbot-apache

Issue: Apache Not Restarting

If Apache fails to restart after configuring SSL, check the configuration files for syntax errors:

sudo apachectl configtest

Fix any errors and try restarting Apache again:

sudo systemctl restart httpd

Conclusion

Securing Apache with Let's Encrypt SSL on CentOS 9 enhances the security of your web server and ensures the integrity of data transmitted between your server and clients. By following this guide, you have successfully installed Apache, obtained and configured an SSL certificate, and automated the renewal process.

Apache
29.08.2024
Reading time: 5 min

Do you have questions,
comments, or concerns?

Our professionals are available to assist you at any moment,
whether you need help or are just unsure of where to start
Email us