LetsEncrypt SSL certificate on CentOS 7

So, it's been a year since I installed my (paid for) certificate and much has changed in web-land. Chief among them, on the SSL front, has been LetsEncrypt which offers free SSL certificates to anyone who requests them.

As I wasn't entirely enamoured with the idea of running "a fairly solid beta-quality Apache plugin", and I have full access to the webserver, this is a guide to installing it manually.

Install the epel repository

	
		wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
		# Resolving dl.fedoraproject.org (dl.fedoraproject.org)... 209.132.181.23, 209.132.181.24, 209.132.181.25, ...
		# Connecting to dl.fedoraproject.org (dl.fedoraproject.org)|209.132.181.23|:443... connected.
		rpm -Uvh epel-release-latest-7.noarch.rpm
	

Install certbot (the LetsEncrypt client)

	
		yum install python-certbot-apache
		# request a new certificate for chrishewett.com and www.chrishewett.com
		# -w option is the webroot of the site as certbot needs to add content to check you own the domain
		# --dry-run first to test it will work
		certbot certonly --dry-run --webroot -w /home/sites/chrishewett_com/web/app/webroot/ -d chrishewett.com -d www.chrishewett.com
		# if no errors then run for real
		certbot certonly --webroot -w /home/sites/chrishewett_com/web/app/webroot/ -d chrishewett.com -d www.chrishewett.com
		# Interactive series of prompts will appear to go through the process
	

Install

	
		yum install mod_ssl
		# Disable SSLv3 to stop POODLE bug
		nano /etc/httpd/conf.d/ssl.conf
		# SSLProtocol all -SSLv2 -SSLv3
		nano /etc/httpd/conf/httpd.conf
	
	
		<VirtualHost *:443>
			ServerName chrishewett.com
			ServerAlias www.chrishewett.com
			DocumentRoot /home/sites/chrishewett_com/app/public
			DirectoryIndex index.php
			<Directory /home/sites/chrishewett_com/app/public>
				AddType application/x-httpd-php .php
				Options +ExecCGI +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
				AllowOverride All
				Require all granted
			</Directory>
			SSLEngine on
			SSLCertificateKeyFile /etc/letsencrypt/live/chrishewett.com/privkey.pem
			SSLCertificateFile /etc/letsencrypt/live/chrishewett.com/cert.pem
			SSLCertificateChainFile /etc/letsencrypt/live/chrishewett.com/chain.pem
		</VirtualHost>
	
	
		systemctl reload httpd.service
		# Browse to your site, click on the padlock symbol and verify that the certificate is now LetsEncrypt
	

Setup Cronjob to auto renew

	
		#Test the auto renew feature is working
		certbot renew --dry-run
		# ...
		# Congratulations, all renewals succeeded. The following certs have been renewed:
		# ...
		crontab -e
		#Attempt to auto renew LetsEncrypt certificate at 6:30/15:30 each day (recommended to do it this often in the official guide)
		# 30 6,15 * * * certbot renew --quiet
	
Load Comments...