wesupport

Need help?

Our experts have had an average response time of 13.14 minutes in February 2024 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

How to setup Let’s Encrypt in CentOS 6 and CentOS 7

by | Jul 23, 2016

Setting up SSL is a costly, and often tedious process.

A decent 2048-bit certificate costs at least $149/yr, and requires the webmaster to generate a CSR, submit it to the CA, reconfigure the web server, and troubleshoot any errors.

It’s then no surprise that many webmasters choose not to get an SSL. But such websites are more susceptible to web-based attacks, and contributes to an insecure internet.

letsencrypt centos - green light Bobcares

That HTTPS green light shows that the content is reliable

Internet Security Research Group, a non-profit organization came up with a solution – Free certificates with automated provisioning. Towards this goal they setup an Open Certificate Authority called Let’s Encrypt.

How Let’s Encrypt works

With traditional Certificate Authorities, a webmaster proves their ownership of a domain by generating a CSR with their domain name, and by using a verifiable email ID.

Let’s Encrypt simplified this process by automating the domain validation.

A client program in your server takes over the role of the webmaster. It then proves to the Let’s Encrypt Certificate server that it can modify the domain contents, and generate a CSR for the domain name. It goes something like this:

Let's Encrypt in CentOS 6 and CentOS 7 - how it works

The Let’s Encrypt client process runs with “root” privileges, which is possible only for the domain owner.

Setting up Let’s Encrypt in CentOS 6 and CentOS 7

Let’s Encrypt recommends many client programs that are compatible with CentOS.

We feel CertBot from the non-profit Electronic Frontier Foundation is a good tool – if used correctly. Let’s get to that.

1. Update your system

CertBot needs a lot of packages in it’s latest version for it’s proper functioning. So, first off, update all your packages with:

# yum -y update

Then, install the EPEL (Extra Packages for Enterprise Linux) repository, to provide the latest Python packages for CertBot.

# yum -y install epel-release

Note : If your server is custom configured, an upgrade might break your website. If you suspect something like that, consult a server expert.

2. Get CertBot from EFF

CertBot is available in CentOS 7 EPEL repositories. So, if you’re on CentOS 7, install CertBot with:

# yum -y install python-certbot-apache

If you are on CentOS 6, download and make the program executable by:

# wget https://dl.eff.org/certbot-auto

# chmod 755 certbot-auto

[ Managing your web server infrastructure doesn’t have to be hard, or costly. Get world class server administration services at affordable pricing. ]

3. Configure Apache with CertBot

The default web server in CentOS 6 and 7 is Apache. So, we’ll go ahead with the assumption that you’re using Apache.

CertBot has a plugin that can configure Apache. To launch it, run the command:

# certbot --apache

CertBot then fetches all domains configured in your web server, and asks you which all domains you want to request an SSL for:

Lets Encrypt CentOS 6 and CentOS 7 - CertBot - Step 1

Select all the domains you want by using arrow keys and space bar

The next two steps asks you for an administrator email ID, and to accept the license agreement.

Once that’s done, you’ll be asked whether to enable all web accesses over HTTPS.

Let's Encrypt CentOS 6 and CentOS 7 - Choose secure all

We recommend choosing full encryption for your website.

A full encryption for your whole website is always better as it prevents spoofing of your website contents, and blocks a lot of web-based attacks.

However, if your site have links that’s hard-coded as “http://your-site-name”, it’ll result in a certificate error. So, make sure all links in your site is changed to https.

Lets Encrypt CentOS 6 and CentOS 7 - Cert error.

Even “http” links to external sites can cause this warning

 

[ Are your spending too much time managing your web servers? Our expert engineers will take care of your server infrastructure and ensure its smooth functioning. ]

Setup auto-renewal

All Let’s Encrypt certificates expire in 90 days. So, setup a cron job to automatically renew it for you every 85 days.

But, before you set it up, make sure the renew function works well by doing a dry run using the command:

# certbot renew --dry-run

If everything goes well, set the below command in your crontab.

certbot renew --quiet

Possible issues in Let’s Encrypt setup

CertBot sure makes things very easy, but there can be a lot of road blocks while setting it up. Some of these are:

  1. Apache configuration blocking access to hidden directories – Let’s Encrypt client writes to a directory called “.well-known” to verify client authenticity. So, make sure your Apache config allows access to hidden folders.
  2. Domain not resolving to the server – Make sure the DNS of the domains (and subdomains) are set to the server.
  3. Password protection in the website – Disable password protection if any.
  4. Package conflicts when using different repositories – When updating your server, or setting up various packages, there could be conflicts in versions. Tread carefully to make sure your apps do not get broken – especially if you use any Python web apps.

In short..

Enabling SSL/TLS in a website can be quite difficult. It deters many webmasters from enabling HTTPS, which leads them vulnerable to web attacks. Today, we’ve seen how to setup free, automated TLS certificates using Let’s Encrypt Certification Authority.

Bobcares helps online businesses of all sizes achieve world-class security and uptime, using tried and tested solutions. If you’d like to know how to make your server more reliable, we’d be happy to talk to you.

 

Get your web servers stable!

Worried about upgrades and service errors in your web servers? Let us help you.

GET IN TOUCH WITH AN EXPERT NOW!

var google_conversion_label = "owonCMyG5nEQ0aD71QM";
Bobcares provides Outsourced Hosting Support for online businesses. Our services include Outsourced Web Hosting Support, Outsourced Server Support, Outsourced Help Desk Support, Outsource Live Chat Support and Phone Support Services.

2 Comments

  1. Dirk

    I used your instructions to install certbot on Centos 7 python2.7 apache2 and found similar instructions elsewhere but with same results.

    Trust that you can help.
    Thanx
    This is the error I get when:
    certbot –apache
    Traceback (most recent call last):
    File “/usr/bin/certbot”, line 9, in
    load_entry_point(‘certbot==0.18.1’, ‘console_scripts’, ‘certbot’)()
    File “/usr/lib/python2.7/site-packages/pkg_resources/__init__.py”, line 570, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
    File “/usr/lib/python2.7/site-packages/pkg_resources/__init__.py”, line 2755, in load_entry_point
    return ep.load()
    File “/usr/lib/python2.7/site-packages/pkg_resources/__init__.py”, line 2409, in load
    return self.resolve()
    File “/usr/lib/python2.7/site-packages/pkg_resources/__init__.py”, line 2415, in resolve
    module = __import__(self.module_name, fromlist=[‘__name__’], level=0)
    ImportError: No module named certbot.main

    Reply
    • Reeshma Mathews

      This error can happen due to many reasons such as python compatibility problem or cache. Please submit your details at https://bobcares.com/contact-us/ , as our server specialists can check your server and get back to you with the fix.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Categories

Tags