So, it's been a year since I installed my (paid for) certificate and much has changed in web-land. Chief among them, on the SSL front, has been LetsEncrypt which offers free SSL certificates to anyone who requests them.
As I wasn't entirely enamoured with the idea of running "a fairly solid beta-quality Apache plugin", and I have full access to the webserver, this is a guide to installing it manually.
Install the epel repository
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# Resolving dl.fedoraproject.org (dl.fedoraproject.org)... 209.132.181.23, 209.132.181.24, 209.132.181.25, ...
# Connecting to dl.fedoraproject.org (dl.fedoraproject.org)|209.132.181.23|:443... connected.
rpm -Uvh epel-release-latest-7.noarch.rpm
Install certbot (the LetsEncrypt client)
yum install python-certbot-apache
# request a new certificate for chrishewett.com and www.chrishewett.com
# -w option is the webroot of the site as certbot needs to add content to check you own the domain
# --dry-run first to test it will work
certbot certonly --dry-run --webroot -w /home/sites/chrishewett_com/web/app/webroot/ -d chrishewett.com -d www.chrishewett.com
# if no errors then run for real
certbot certonly --webroot -w /home/sites/chrishewett_com/web/app/webroot/ -d chrishewett.com -d www.chrishewett.com
# Interactive series of prompts will appear to go through the process
Install
yum install mod_ssl
# Disable SSLv3 to stop POODLE bug
nano /etc/httpd/conf.d/ssl.conf
# SSLProtocol all -SSLv2 -SSLv3
nano /etc/httpd/conf/httpd.conf
<VirtualHost *:443>
ServerName chrishewett.com
ServerAlias www.chrishewett.com
DocumentRoot /home/sites/chrishewett_com/app/public
DirectoryIndex index.php
<Directory /home/sites/chrishewett_com/app/public>
AddType application/x-httpd-php .php
Options +ExecCGI +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
SSLEngine on
SSLCertificateKeyFile /etc/letsencrypt/live/chrishewett.com/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/chrishewett.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/chrishewett.com/chain.pem
</VirtualHost>
systemctl reload httpd.service
# Browse to your site, click on the padlock symbol and verify that the certificate is now LetsEncrypt
Setup Cronjob to auto renew
#Test the auto renew feature is working
certbot renew --dry-run
# ...
# Congratulations, all renewals succeeded. The following certs have been renewed:
# ...
crontab -e
#Attempt to auto renew LetsEncrypt certificate at 6:30/15:30 each day (recommended to do it this often in the official guide)
# 30 6,15 * * * certbot renew --quiet