Objective
When it comes to security these days, a SSL certificate is necessary. But SSL certificates have been always costly. With LetsEncrypt, that has changed. Let’s Encrypt allows you to generate a free SSL certificate for your domain names.
In this article, I will walk you through setting up Let’s Encrypt with Apache on CentOS7.
Before getting started, ensure you have the following things ready
- SSH access to your server with non-root sudo user.
- Your domain name’s DNS records and A records should be set to your server.
Getting Started
Log in to the server using your sudo account. For this setup, we will need the following modules
- httpd – The Package for Apache Server
- mod_ssl – This module ensures that the encrypted traffic is served properly
- python-certbot-apache – The package for generating certificates from Certbot.
To install these packages, execute the following command
sudo yum install httpd mod_ssl python-certbot-apache
You can now start Apache by executing the following command
sudo systemctl start httpd
You can stop Apache with
sudo systemctl stop httpd
Requesting the Certificates
For this tutorial, we are going to use the domain name example.org for example. You should replace it with your own domain name.
Generating certificates from Let’s Encrypt is easy and can be done If you want to install a single certificate that covers your domain as within minutes.
well as a subdomain, you can start with this command
sudo certbot --apache -d example.org -d abc.example.org
In this case, Let’s Encrypt will treat example.org as the base domain, and the other domains as subdomains. It is always recommended to keep your base domain as the first parameter, as that is the domain with which your certificate will be generated.
If you don’t want to add subdomains, but want to just get it for one domain – you can do so by
sudo certbot --apache -d example.org
When you execute this command, you will get a step-by-step guide to setting up your certificates. Here is what you will be asked
- Email – This email will be used by Let’s Encrypt to inform you about lost key recovery and notices to renew your certificates.
- Virtual Host File – If your domains are not specified in your virtual host file, it will ask for you to choose your host files.
- Enable HTTP/HTTPS or Enable Secure mode – This is where Let’s Encrypt asks you to choose if you are okay with HTTP requests or want to force all traffic to HTTPS. It is always better to go with forcing all traffic to HTTPS mode.
When you are done with the installation, you would see a success message
Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.org/fullchain.pem. Your cert will expire on 2017-10-03. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
With that, we have now generated our own certificates.
Securing Apache
The security settings shipped with CentOS 7 are a bit dated, which means it is vulnerable to recent threats. Let’s fix them
We will open the ssl.conf file ( or the Virtual Host file that you selected when generating the certificate) in the nano editor.
sudo nano /etc/httpd/conf.d/ssl.conf
We have to find the following words – SSLProtocol and SSLCipherSuite and remove them.
Use Ctrl+W when the file is open in Nano Editor, and search for the above words, and delete these lines.
SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
We have deleted obsolete changes, but we need to be up-to-date with the latest settings. Fortunately, thanks to this configuration from Cipherlist site, we can be up-to-date with the latest security patches.
Copy the settings from the Apache section on the site, and paste it on your conf file after the **** block
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
#Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
When you are done, press Ctrl + X, and then press Y to save your file.
Restart apache for your new settings to take effect.
sudo systemctl restart httpd
Check your Certificates
Now that we are done with all the steps, you can check your certificates by going to the above link. Note : Replace example.org with your base link
https://www.ssllabs.com/ssltest/analyze.html?d=example.org&latest
If everything is set up properly, you should get an A+ rating, which indicates your site’s certificate settings are properly configured.
However, it is important to keep your settings file updated as new vulnerabilities are detected. Check cipher list on a regular basis to be up-to-date with security patches.
With that, we have configured free SSL Certificates using Let’s Encrypt and Apache on CentOS 7.