Let's Encrypt is a free SSL provider that allows you to generate basic SSL certificates that will validate correctly with most browsers. This guide will walk you through installing all of the software required to get Apache serving content over HTTPS in it's default configuration. If you have multiple vhosts already setup on your server, Certbot should detect them and the process is mostly the same.
We will first start by installing Apache with SSL support.
yum install httpd mod_ssl
Next, since Certbot is not provided by the CentOS repository we will need to enable the EPEL repo. Once enabled we can install Certbot.
yum install epel-release yum install python-certbot-apache
Apache needs to be running so that Let's Encrypt can verify that the domain your generating the certificate for is really under your control. You must also have your domain correctly pointing to your server.
systemctl enable httpd systemctl start httpd
If you have Firewalld running you will need to run the following commands to allow your server to receive and send HTTP and HTTPS requests.
firewall-cmd --add-service=http firewall-cmd --add-service=https firewall-cmd --runtime-to-permanent
We can now request a new certificate from Let's Encrypt. The example below is attempting to generate a certificate for domain.com and www.domain.com. You will need to change those to your domain.
certbot --apache -d domain.com -d www.domain.com
You should now have a valid certificate for your site!
Purchased Certificates normally last at least one year. Let's Encrypt certificates only last 90 Days. Rather than having to remember to renew your certificate every 3 months we will setup a cronjob that will attempt to renew it nightly. Certbot is smart in that it will not renew the certificate unless it's about to expire.
crontab -e
Add the following line.
0 0 * * * /usr/bin/certbot renew >> /var/log/certbot-renew.log
This will run Certbot nightly and log the output to /var/log/certbot-renew.log