Installing letsencrypt free SSL HTTPS certificate on Centos 6 Apache

Letsenscrypt is a free an open automated certificate authority. You can get a SSL certificate from them for free that is trusted by browsers on nearly all platforms – see the FAQ

This is how to do it for Centos 6 running Apache HTTPD server and assumes you already have HTTPS setup but are currently using a self signed certificate.

Note the way you request and get verified for the certificate is by installing a Python client which will  start up it’s own web server on port 80. The install of the client may involve installing dependency Centos packages  like gcc and other development tools.

So first install the client

As root or using sudo

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Stop Apache

service httpd stop

Run the client ( note as Centos 6 uses Python 2.6 you have to enable debug mode and you get lots of warnings about version 2.6 ) giving your email address and the domains you want i.e for my site I did

./letsencrypt-auto certonly --standalone --email me@tuqix.org -d tuqix.org  -d www.tuqix.org

It will fire up a screen to ask you to accept their terms and conditions

Selection_024

It will then come back with a message that your certificate has been saved as /etc/letsencrypt/live/yourdomain/fullchain.pem

Start your Apache HTTP server

service httpd start

Edit /etc/httpd/conf.d/ssl.conf

Update
SSLCertificateFile /etc/letsencrypt/live/yourdomain/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/yourdomain/chain.pem

Restart Apache HTTPD server

service httpd restart

Now when you https://yourdomain    your browser should not complain about the SSL certicate

Renewing your certificate

Letsencrypt certificates are valid for 90 days.

The good news is you can automagically renew your certificate. By default it will only update your certificate if it will expire in less than 30 days so you can run a cron job once a month for example without any harm.

To renew a certificate :-

Stop Apache

service httpd stop

/fullpath/letsencrypt-auto renew –standalone –debug

If the renew was successful you will see :-

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/yourdomain/fullchain.pem (success)

Then start Apache

service httpd start

To run from cron create a script /usr/local/bin/letsencrypt.renew like

#!/bin/bash

/sbin/service httpd stop

/fullpath/letsencrypt-auto renew –standalone –debug  > /var/log/letsencrypt/renew.log 2>&1

 

/sbin/service httpd start

 

Add it to root’s cron to run for example 03:00 on the 9th of each month

00 03 09 * * /usr/local/bin/letsencrypt.renew

Leave a Reply

Your email address will not be published. Required fields are marked *