Table of Contents
Secure Apache with Let’s Encrypt SSL on CentOS 7
By using Let’s Encrypt you can get a free valid SSL certificate. Let’s Encrypt is the Certificate Authority (CA) which provides free SSL certificate. To get SSL certificate Certbot client is used which fetches and deploys SSL certificate on your server. In this tutorial, you are going to learn how to secure Apache with Let’s Encrypt SSL on CentOS.
Before we begin
Let’s Encrypt certificate can only be requested from the server the domain is pointing to. Let’s Encrypt checks if the domain is pointed to the current server and if successful, it issues the certificate.Prerequisites
1. Before you start to secure Apache with Let’s Encrypt SSL on CentOS 7 using the Certbot client. You must have the non-root user account on your server with sudo privileges.
Prerequisites
1. Before you start to secure Apache with Let’s Encrypt SSL on CentOS 7 using the Certbot client. You must have the non-root user account on your server with sudo privileges.2. Make it sure your domain is pointing to the current server.
1.1. Install Certbot Client
install Certbot client you need to add EPEL reposiory, to do so type:sudo yum install epel-release
Now install Certbot client by executing following command
sudo yum install httpd mod_ssl python-certbot-apache
Confirm the installation by typing
certbot --version
2.2. Setup Firewall
you are not running the firewall skip this step.
You need to make it sure port 80 and 443 are open in your firewall. To open ports inside firewalld using following commands.
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent
If you have running iptables then you can run following basic commands to enable traffic on port 80 and port 443.
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
3.3. Setting up Let’s Encrypt SSL on Apache
set up on Apache we need to install the Certbot plugin for Apache which makes this process much easier. sudo apt install python-certbot-apache
Let’s Encrypt do a strong domain validation for ownership of the domain. After successful verification, it issues the certificate. In below command replace example with your domain name
sudo certbot --apache -d example.com -d www.example.com
If you are the first time to install certificate then Certbot will ask you to enter Email ID and agree to terms and conditions.
After the above step, Certbot will ask you to configure HTTPS settings.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice and continue to next step. We recommend you to choose Redirect option if you don’t want to change the configuration file manually.
NOTE: All generated files stored inside /etc/letsencrypt/live directory.
SeSecure SSL Settings for Apache
L configuration provided for CentOS Apache version is outdated for some security issues. So we need to change some settings to make it more secure.
Open /etc/httpd/conf.d/ssl.conf SSL configuration file by using following command.
sudo nano /etc/httpd/conf.d/ssl.conf
Find out SSLProtocol and SSLCipherSuit lines inside file and comment them out.
# SSLProtocol all -SSLv2 . . . # SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
Now paste following code after VirtualHost block in /etc/httpd/conf.d/ssl.conf file
. . . . . . # Begin copied text # from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires Apache >= 2.4.11
Restart Apache service by running following command.
sudo systemctl restart httpd
4.4. Autorenewal For SSL Certificates
l of these Let’s Encrypt certificates are short-lived and expires after 90 days. So you will have to update these certificates before they expire by running the following command.sudo certbot renew
You can automate this process by adding a cronjob. Enter the following command to open crontab
sudo crontab -e
Add following lines to end of the file. It will run the command twice a day and renews if the certificate is about to expire.
0 */12 * * * /usr/bin/certbot renew >> /var/log/le-renew.log