Introduction
- Let's Encrypt is a certificate authority that provides free certificates through an automated process. This guide will demonstrate how to set up a TLS/SSL certificate from Let’s Encrypt on a Centos 7, AlmaLinux 8, or AlmaLinux 9 server running Apache.
Preparation
Ensure you have Apache installed on your server. If it isn't installed, refer to our Apache installation guide.
Create a virtual host configuration file with the following command if you haven't done so already:
vi /etc/httpd/conf.d/yourdomain.ltd.conf
- Add the following lines to the configuration file:
- Replace "yourdomain.ltd" with your actual domain name. Save and exit the file after editing.
1. Create a Testing Index.html File
- To create an index.html file for testing purposes, run:
vi /var/www/html/index.html
- Enter the following text in the file:
<html>
Page for testing purposes
</html>
- Save and exit the file. Change the owner of the file to Apache with:
chown -R apache:apache /var/www/html/index.html
2. Install Certbot
yum install certbot python2-certbot-apache mod_ssl
dnf install epel-release
dnf install certbot python3-certbot-apache
3. Set Up the SSL Certificate
- To set up the SSL certificate for your domain, run:
certbot --apache -d yourdomain.ltd
- To install certificates for multiple domains and subdomains, use:
certbot --apache -d yourdomain.ltd -d www.yourdomain.ltd -d yourdomain2.ltd -d subdomain.yourdomain2.ltd
You will need to provide an email address, agree to the Terms of Service, and decide whether to share your email with the Electronic Frontier Foundation.
When issuing a certificate, you may receive the following error message:
- If you encounter an error while issuing the certificate, cancel the process (enter 'c') and restart Apache:
systemctl restart httpd
- Then try issuing the certificate again.
4. Check SSL Certificate
- To verify if the SSL certificate was issued successfully, run:
ls /etc/letsencrypt/live/yourdomain.ltd/
5. Manual and Automatic Renewal
certbot renew --dry-run
If the certificate is close to expiring (less than 30 days), this command will renew it.
For automatic renewal, edit the crontab to run the command twice a day:
crontab -e
- Add this line to the crontab:
* */12 * * * root /usr/bin/certbot renew >/dev/null 2>&1
- This will ensure that Certbot renews your certificates and reloads Apache as needed.
Additional Notes
If your site is still inaccessible and you receive a "Secure Connection Failed" error, ensure that traffic via HTTPS (port 443) is allowed, as it may be blocked by firewalld by default.
To check if HTTPS is enabled, use:
firewall-cmd --list-all
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
- To enable HTTPS in iptables:
iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables-save
