Using letsencrypt in centos requires a few modifications to your centos before you can run the letsencrypt client. The setup for vhosts in centos is different from the setup in debian based distros. This is how I modified my centos install to be able to use letsencrypt-auto so that I can use the free letsencrypt SSL certificates
letsencrypt-auto can only work with one vhost setting per file, and it looks in /etc/httpd/sites-enabled for the vhost configurations. My centos setup had a directory called /etc/httpd/vhosts.conf.d which contained my vhost configurations.
Firstly we need to create /etc/httpd/sites-available and /etc/httpd/sites-enabled so that letsencrypt-auto can manage our vhosts.
mkdir /etc/httpd/sites-available mkdir /etc/httpd/sites-enabled
Move your existing vhost configurations into /etc/httpd/sites-available so that your sites dont stop working
mv /path/to/vhosts/*.conf /etc/httpd/sites-available
Next, symlink your vhosts to the enabled-sites directory so that they are included when apache starts
find /etc/httpd/sites-available -name *.conf | \ while read filename \ do \ ln -s "/etc/httpd/sites-available/$filename" "/etc/httpd/sites-emabled/$filename" done
next, edit your httpd.conf, add in a line (or modify an existing line including the location of your vhost files) to enable the sites on startup – this is the debian way
Restart httpd to make sure it all still works (I dont think systemctl reload httpd.service works for this step -I didnt try it though)
systemctl restart httpd.service
We now have Centos configured in a way that will allow us to use letsencrypt-auto out-of-the-box!
If you dont already have git installed, you’ll need it
yum install git
To install the letsencrypt client, clone it from git:
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
You should now be ready to fetch certificates using the letsencrypt-auto client
/opt/letsencrypt/letsencrypt-auto --apache -d example.com
You can also install the certificate for subdomains at the same time
/opt/letsencrypt/letsencrypt-auto --apache -d example.com -d www.example.com -d static.example.com
The first time you run letsencrypt in centos the client will download and install dependenices, then it will present you with an ncurses UI with some options for you to pick from, including setting up a 301 redirect from a non-https to an https version of your site
If the client fails, it will give you reasons on the stdout – I had to separate my vhost files so that there was one configuration per file (I deleted the :443 section, left the :80 section and let the client generate the ssl version for me)
If the certificates install correctly, you’ll get something that looks like this:
IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to firstname.lastname@example.org. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-04-21. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
You arent done yet though – letsencrypt will have created a vhost file in the sites-enabled folder – its probably best to move this to the sites-available folder and symlink it back to the sites-enabled folder.
Letsencrypt certificates expire after 90 days, so you hvae to setup renewal
The easiest way is with a cronjob.
Test the renewal with:
You’ll get a message saying that your certificates arent due for renewal yet, thats ok, we just needed to see that the renewal found your existing certs.
Add the command to a cronjob (its recommended on the lets-encrypt site to try twice a day)
0 6,12 * * * /opt/letsencrypt/letsecrypt-auto renew
You now have letsencrypt in centos! next you’ll want to check the cypher-strenght of your new setup – I wrote a post about hardening ssl ciphers to help :D