Install Let's Encrypt SSL on CentOS 7

SSL

An SSL (Secure Sockets Layer) certificate is a type of digital certificate that provides authentication for a website and encrypts information sent to the server using SSL technology. The costs vary with the level of security you require (validation level, type of secured domains etc). There are also free SSL certificate providers, which I will mention in this post. Many hosting providers also sell SSL (GoDaddy, Namecheap etc) and AFAIK they are really easy to set up.

Let’s Encrypt

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world’s largest certificate authority, used by more than 265 million websites, with the goal of all websites being secure and using HTTPS. (Wikipedia)

Let’s Encrypt is totally free. Their certificates are valid for 90 days, but they support automatically renewal.

Set up Let’s Encrypt

To set up Let’s Encrypt, you need a client. Certbot is by far the most popular Let’s Encrypt client, as it is included in most major Linux distributions, and supports automatic configuration capabilities for Apache and Nginx.

On certbot site, choose web server and OS you are using. In this post, I’m using Centos 7, Apache on Vultr.

Install snapd

First, I need to add EPEL to CentOS7

sudo yum install epel-release

then

sudo yum install snapd 

Ensure snapd is up to date

sudo snap install core; sudo snap refresh core 

Install Certbot

Now we can install the certbot

sudo snap install --classic certbot

While installing certbot, you may get this symbolic link error:

error: cannot install "certbot": classic confinement requires snaps under /snap or symlink from /snap to /var/lib/snapd/snap

This is because missing symbolic link for snap. Run the command below to fix it:

ln -s /var/lib/snapd/snap /snap

Prepare the Certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Install certificate

sudo certbot --apache

You may encounter this error due to missing ssl library:

Could not find ssl_module; not disabling session tickets.

In that case, run this command to fix:

sudo yum install mod_ssl

Then reinstall the certificate again.

Certbot will ask for your email address, this is used for renewal notifications and other notices:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Enter your email address and hit Enter. You have to agree to Let’s Encrypt terms of service, and subscribe to content or not. In the next screen, you have to select which domains you’d like to activate HTTPS for. The listed domain are automatically acquired from Apache virtual host.

Saving debug log to /var/log/letsencrypt/letsencrypt.log 
Which names would you like to activate HTTPS for? 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
1: *****.com 
2: www.*****.com 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Select the appropriate numbers separated by commas and/or spaces, or leave input 
blank to select all options shown (Enter 'c' to cancel): 

If you haven’t configured any virtual host, you will see this error:

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80. 

So make sure that you have the correct virtual host configuration. If you want to enable HTTPS for all listed domain names, you can leave the prompt blank and hit ENTER

The first time executing the command, I got an error due to Namecheap domain misconfiguration.

Requesting a certificate for *****.com and www.*****.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: www.*****.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for www.*****.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.*****.com - check that a DNS record exists for this domain

  Domain: *****.com
  Type:   unauthorized
  Detail: Invalid response from http://*****.com/.well-known/acme-challenge/dtjae9G0BeXyFbEcrb3v5xNi6AuXHtuRfDZBq3hMbU0 [76.76.21.21]: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

After setting IP address on Namecheap and executing the command again, the certificate was installed.

Requesting a certificate for *****.com and www.*****.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/*****.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/*****.com/privkey.pem

This certificate expires on 2022-06-29.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for *****.com to /etc/httpd/conf.d/*****-le-ssl.conf
Successfully deployed certificate for www.*****.com to /etc/httpd/conf.d/*****-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://*****.com and https://www.*****.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

That’s all, the certificate is now installed and loaded into Apache. Your website should now be accessible with https and your browser should show a security indicator (typically a lock icon).