Setting up SSL is a costly, and often tedious process.
A decent 2048-bit certificate costs at least $149/yr, and requires the webmaster to generate a CSR, submit it to the CA, reconfigure the web server, and troubleshoot any errors.
It’s then no surprise that many webmasters choose not to get an SSL. But such websites are more susceptible to web-based attacks, and contributes to an insecure internet.
That HTTPS green light shows that the content is reliable
Internet Security Research Group, a non-profit organization came up with a solution – Free certificates with automated provisioning. Towards this goal they setup an Open Certificate Authority called Let’s Encrypt.
How Let’s Encrypt works
With traditional Certificate Authorities, a webmaster proves their ownership of a domain by generating a CSR with their domain name, and by using a verifiable email ID.
Let’s Encrypt simplified this process by automating the domain validation.
A client program in your server takes over the role of the webmaster. It then proves to the Let’s Encrypt Certificate server that it can modify the domain contents, and generate a CSR for the domain name. It goes something like this:
The Let’s Encrypt client process runs with “root” privileges, which is possible only for the domain owner.
Setting up Let’s Encrypt in CentOS 6 and CentOS 7
Let’s Encrypt recommends many client programs that are compatible with CentOS.
We feel CertBot from the non-profit Electronic Frontier Foundation is a good tool – if used correctly. Let’s get to that.
1. Update your system
CertBot needs a lot of packages in it’s latest version for it’s proper functioning. So, first off, update all your packages with:
# yum -y update
Then, install the EPEL (Extra Packages for Enterprise Linux) repository, to provide the latest Python packages for CertBot.
# yum -y install epel-release
Note : If your server is custom configured, an upgrade might break your website. If you suspect something like that, consult a server expert.
2. Get CertBot from EFF
CertBot is available in CentOS 7 EPEL repositories. So, if you’re on CentOS 7, install CertBot with:
# yum -y install python-certbot-apache
If you are on CentOS 6, download and make the program executable by:
# wget https://dl.eff.org/certbot-auto # chmod 755 certbot-auto
[ Managing your web server infrastructure doesn’t have to be hard, or costly. Get world class server administration services at affordable pricing. ]
3. Configure Apache with CertBot
The default web server in CentOS 6 and 7 is Apache. So, we’ll go ahead with the assumption that you’re using Apache.
CertBot has a plugin that can configure Apache. To launch it, run the command:
# certbot --apache
CertBot then fetches all domains configured in your web server, and asks you which all domains you want to request an SSL for:
Select all the domains you want by using arrow keys and space bar
The next two steps asks you for an administrator email ID, and to accept the license agreement.
Once that’s done, you’ll be asked whether to enable all web accesses over HTTPS.
We recommend choosing full encryption for your website.
A full encryption for your whole website is always better as it prevents spoofing of your website contents, and blocks a lot of web-based attacks.
However, if your site have links that’s hard-coded as “http://your-site-name”, it’ll result in a certificate error. So, make sure all links in your site is changed to https.
Even “http” links to external sites can cause this warning
[ Are your spending too much time managing your web servers? Our expert engineers will take care of your server infrastructure and ensure its smooth functioning. ]
Setup auto-renewal
All Let’s Encrypt certificates expire in 90 days. So, setup a cron job to automatically renew it for you every 85 days.
But, before you set it up, make sure the renew function works well by doing a dry run using the command:
# certbot renew --dry-run
If everything goes well, set the below command in your crontab.
certbot renew --quiet
Possible issues in Let’s Encrypt setup
CertBot sure makes things very easy, but there can be a lot of road blocks while setting it up. Some of these are:
- Apache configuration blocking access to hidden directories – Let’s Encrypt client writes to a directory called “.well-known” to verify client authenticity. So, make sure your Apache config allows access to hidden folders.
- Domain not resolving to the server – Make sure the DNS of the domains (and subdomains) are set to the server.
- Password protection in the website – Disable password protection if any.
- Package conflicts when using different repositories – When updating your server, or setting up various packages, there could be conflicts in versions. Tread carefully to make sure your apps do not get broken – especially if you use any Python web apps.
In short..
Enabling SSL/TLS in a website can be quite difficult. It deters many webmasters from enabling HTTPS, which leads them vulnerable to web attacks. Today, we’ve seen how to setup free, automated TLS certificates using Let’s Encrypt Certification Authority.
Bobcares helps online businesses of all sizes achieve world-class security and uptime, using tried and tested solutions. If you’d like to know how to make your server more reliable, we’d be happy to talk to you.
I used your instructions to install certbot on Centos 7 python2.7 apache2 and found similar instructions elsewhere but with same results.
Trust that you can help.
Thanx
This is the error I get when:
certbot –apache
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.18.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/pkg_resources/__init__.py”, line 570, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File “/usr/lib/python2.7/site-packages/pkg_resources/__init__.py”, line 2755, in load_entry_point
return ep.load()
File “/usr/lib/python2.7/site-packages/pkg_resources/__init__.py”, line 2409, in load
return self.resolve()
File “/usr/lib/python2.7/site-packages/pkg_resources/__init__.py”, line 2415, in resolve
module = __import__(self.module_name, fromlist=[‘__name__’], level=0)
ImportError: No module named certbot.main
This error can happen due to many reasons such as python compatibility problem or cache. Please submit your details at https://bobcares.com/contact-us/ , as our server specialists can check your server and get back to you with the fix.