In a world of constantly evolving cyber threats, securing your webserver should be top-of-the-mind concern. One of the easiest ways of boosting your web server’s security is by securing it with an SSL certificate. The encrypts the traffic exchanged between the web server and user's browser and prevents hackers from eavesdropping and intercepting confidential information such as usernames and passwords.
Let's Encrypt is a free and automated certificate authority that helps you to set up a secure HTTPS server using a free SSL certificate with a shelf life of approximately 90 days.
In this context, we shall look into the process of securing your webserver using Let's Encrypt SSL certificate.
Steps to secure your webserver using Let's Encrypt SSL certificate
As we get started, we assume that you already have the Apache webserver stack installed on your Rocky Linux 8. If not, check out this guide on how to install LAMP server on Rocky Linux 8. The first step is a walkthrough of how to install Apache HTTP webserver.
Also, ensure that you have a valid domain name pointing to your server's Public IP address. For this guide, we will be using the domain name called outsourcepath.com.
1. Install EPEL repository
To begin, we will start with the installation of EPEL ( Extra Packages for Enterprise Linux ). This is a repository from Fedora that provides additional packages for RHEL-based systems.
So, run the below command:
$ sudo dnf install epel-release
2. Install Certbot
Once EPEL is installed, go ahead and install certbot , the apache module for certbot and mod_ssl which is a module that provides cryptographic features for Apache:
$ sudo dnf install certbot python3-certbot-apache mod_ssl
After the installation of the packages, restart the Apache HTTP web server:
$ sudo systemctl restart httpd
In addition, ensure that the webserver is running:
$ sudo systemctl status httpd
3. Create virtualhost file
The next step it configure an Apache virtual host file. This is a configuration that will serve our domain's web content and will be used by certbot to facilitate the installation of Let's Encrypt.
So, create a folder for your website. In this case, I will create a directory for outsourcepath.com which is my domain name pointed to the IP of my webserver:
$ sudo mkdir -p /var/www/outsourcepath.com
Assign the directory ownership to Apache user:
$ sudo chown -R apache:apache /var/www/outsourcepath.com
Next, create a virtual host file in the /etc/httpd/conf.d directory:
$ sudo vim /etc/httpd/conf.d/outsourcepath.com.conf
Paste the configuration shown and be sure to replace outsourcepath.com with your own domain name:
CustomLog /var/log/httpd/outsourcepath.com-access.log combined
Save and exit the configuration file. Then restart Apache webserver:
$ sudo systemctl restart httpd
Let's now obtain the SSL certificate.
4. Obtain the SSL certificate
Finally, to install Let’s Encrypt using Certbot, run the following command:
$ sudo certbot --apache
This walks you through a series of steps to configure the SSL certificate, provide your email address, read and agree the terms of service and choose which names you would want to activate HTTPS on.
Certbot will detect your virtual host configuration and request the Let's Encrypt SSL certificate for all of them.
Once certbot is done applying the SSL certificate on your webserver, proceed and test the SSL settings by performing an SSL server test at SSL Labs. This is an online platform that performs a deep analysis your site's web server.
5. Configure certificate auto-renewal
As previously mentioned, Let's Encrypt certificate is only valid for 90 days, after which you will be required to renew it. You can renew the certificate manually a day before the expiration using the command:
$ certbot renew
A better approach would be to set up a cron job what will automate the certificate’s renewal process. So, open the crontab file:
$ crontab -e
Add this line at the very end of the file and save the changes:
0 0 * * * /usr/bin/certbot renew > /dev/null 2>&1