In this post, we gonna explain on how to install and configure SSL on centos. The main advantage of using letsencrypt is its free and the certificate is valid for 90 days. You need to execute simple command to renew it again. Let’s Encrypt is a new Certificate Authority.It’s free, automated, and open.

Lets start with installing ssl package.

yum install openssl

You can install letsencrypt on location. I chose to install it on /usr/local/src

cd /usr/local/src

Now, clone the letsencrypt repository.

git clone https://github.com/letsencrypt/letsencrypt

Move the directory letsencrypt.

cd letsencrypt

Check whether the letsencrypt installed it or not.

./letsencrypt-auto --help

Now, stop the httpd service and install letsencrypt ca for a domain.

service httpd stop

./letsencrypt-auto certonly --standalone -d domain.tld

The above command prompts to enter recovery email address. Enter your recovery email address and complete the installation. Once the installation completed, letsencrypt displays the follow message.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert
   will expire on 2017-02-13. To obtain a new or tweaked version of
   this certificate in the future, simply run letsencrypt-auto again.
   To non-interactively renew *all* of your certificates, run
   "letsencrypt-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to recovery-email@domain.tld.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now, its time to configure apache to use the SSL certificate. Open your domain http configuration and append the following line. This is a minimal configuration which is quite enough to fetch the SSL certificate from letsencrypt.

ServerName domain.tld
ServerAlias domain.tld www.domain.tld
DocumentRoot "/var/www/html" #Modify the documentroot as per your server settings
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/chain.pem

Restart the httpd service to make the changes effect.

service httpd restart

Its time to verify the installation. Access the below URL and you will see all Green which confirms that SSL certificate installed.

https://www.sslshopper.com/ssl-checker.html#hostname=domain.tld

Add the renew command on  crontab to make sure that certificate renews automatically before a week. In this example, we are adding to cron to run weekly once.

crontab -e

 0 0 * * 1 /usr/local/src/letsencrypt/letsencrypt-auto renew >>/var/log/le-renew.log

 

Bonus Information:

We gonna explain how to configure SSL certificate on zPanel. Follow the same steps still “letsencrypt-auto certonly –standalone -d domain.tld“.

Now, login to zpanel and modify the domain virtualhost configuration.

1, Move the pointer to zPanel > Module Admin > Apache Config > Override a Virtualhost

2. Select the domain.tld from dropdown list

3. Modify the following settings.

Port Override: 443

Forward Port 80 to Overriden Port: Enable

4. Add the following entry on Current Entry

SSLEngine on

SSLProtocol ALL -SSLv2 -SSLv3

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/chain.pem

5. Login to the server and execute the following command

php -q /etc/zpanel/panel/bin/daemon.php

6. Restart the httpd service

service httpd restart

Feel free to comment here incase if you face any issues 🙂

Leave a Reply