Apache 2.4 on CentOS With Let's Encrypt

Let’s Encrypt is a Certificate Authority (CA) which gives you a free HTTPS.

You can set everything up with a certbot

yum install certbot

I had a problem with auto configuration running certbot --apache.

If that works for you - great.

I assume you already have apache virtual host configured.

So I used certbot certonly --webroot -w /var/www/mydomain.com/public -d mydomain.com. If you want to create certificate for multiple domains, especially when you have www.mydomain.com add another parameter to certbot certbot certonly --webroot -w /var/www/mydomain.com/public -d mydomain.com -d www.mydomain.com. Output will be:

- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mydomain.com/fullchain.pem. ... 

Make sure you have mod_ssl installed and loaded

yum install mod_ssl

apachectl -M  | grep ssl

should output

ssl_module (shared)

If you have it installed, but not loaded add this in some of the configuration files:

LoadModule ssl_module modules/mod_ssl.so

Then, from basic example from apache docs do this:

# this should exist by default in the config - /etc/httpd/conf.d/ssl.conf
Listen 443 

Keep the previous virtual host definition with port :80 and duplicate it. Replace port for :443 and and add SSL* lines

<VirtualHost *:80>
    ServerName mydomain.com

    DocumentRoot /var/www/mydomain.com/public
    ErrorLog /var/www/mydomain.com/error.log
    CustomLog /var/www/mydomain.com/access.log combined
</VirtualHost>

# Duplicate thi

<VirtualHost *:443> # change from 80 -> 443
    ServerName mydomain.com

    DocumentRoot /var/www/mydomain.com/public
    ErrorLog /var/www/mydomain.com/error.log
    CustomLog /var/www/mydomain.com/access.log combined

    # add this!
    SSLEngine on
    # these files should exist after `certbot certonly ...` command

    SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
    SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
</VirtualHost>

This command will do automatic renewal when the cert expires. Set a cron job with crontab -e to run twice a day.

0 0,12 * * * certbot renew >> ~/certbot_log 2>&1

Should you do it? For SEO google say it is fine.

And google say it is ok to move from http to https.

So again from apache config add redirect. Choose if you want to have www or not.

<VirtualHost *:80>
    ServerName www.example.com
    # i guess other directives can be removed
    Redirect "/" "https://www.example.com/" # Don't forget last slash!
</VirtualHost>

If you want only without www, add this:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

Or in the .htaccess file:

RewriteEngine On

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

And, last but not least, restart:

apachectl restart

Some additional resource for configuring apache SSL here.

Test your website here.

Update:

Hm, recently I had an issue with this message:

Let's encrypt bad configuration

So, what happened is a bad apache configuration. This part:

SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

should be:

SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

After trying many redirect tehniques for apache, I think that easiest so far is not to have ServerAlias but to have separate vhost directive.

<VirtualHost *:80>
    ServerName www.mydomain.com
    Redirect permanent "/" "https://mydomain.com/"
</VirtualHost>
<VirtualHost *:80>
    ServerName mydomain.com
    DocumentRoot /var/www/mydomain.com/public
    ErrorLog /var/www/mydomain.com/error.log
    CustomLog /var/www/mydomain.com/access.log combined
</VirtualHost>

Author

I plan to write more articles about common laravel components. If you are interested let’s stay in touch.
comments powered by Disqus