Let’s Encrypt is a Certificate Authority (CA) which gives you a free HTTPS.
You can set everything up with a certbot
yum install certbot
And for apache install apache plugin:
yum install certbot-apache
I had a problem with auto configuration running certbot --apache.
If that works for you - great.
I assume you already have apache virtual host configured.
So I used certbot certonly --webroot -w /var/www/mydomain.com/public -d mydomain.com.
If you want to create certificate for multiple domains, especially when you have www.mydomain.com add another parameter to certbot certbot certonly --webroot -w /var/www/mydomain.com/public -d mydomain.com -d www.mydomain.com.
Output will be:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/mydomain.com/fullchain.pem. ...
Make sure you have mod_ssl installed and loaded
yum install mod_ssl
apachectl -M | grep ssl
should output
ssl_module (shared)
If you have it installed, but not loaded add this in some of the configuration files:
LoadModule ssl_module modules/mod_ssl.so
Then, from basic example from apache docs do this:
# this should exist by default in the config - /etc/httpd/conf.d/ssl.conf
Listen 443
Keep the previous virtual host definition with port :80 and duplicate it. Replace port for :443 and and add SSL* lines
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot /var/www/mydomain.com/public
ErrorLog /var/www/mydomain.com/error.log
CustomLog /var/www/mydomain.com/access.log combined
</VirtualHost>
# Duplicate thi
<VirtualHost *:443> # change from 80 -> 443
ServerName mydomain.com
DocumentRoot /var/www/mydomain.com/public
ErrorLog /var/www/mydomain.com/error.log
CustomLog /var/www/mydomain.com/access.log combined
# add this!
SSLEngine on
# these files should exist after `certbot certonly ...` command
SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
</VirtualHost>
This command will do automatic renewal when the cert expires.
Set a cron job with crontab -e to run twice a day.
0 0,12 * * * certbot renew >> ~/certbot_log 2>&1
Should you do it? For SEO google say it is fine.
And google say it is ok to move from http to https.
So again from apache config add redirect. Choose if you want to have www or not.
<VirtualHost *:80>
ServerName www.example.com
# i guess other directives can be removed
Redirect "/" "https://www.example.com/" # Don't forget last slash!
</VirtualHost>
If you want only without www, add this:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
Or in the .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
And, last but not least, restart:
apachectl restart
Some additional resource for configuring apache SSL here.
Test your website here.
Update:
Hm, recently I had an issue with this message:
So, what happened is a bad apache configuration. This part:
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
should be:
SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
After trying many redirect tehniques for apache, I think that easiest so far is not to have ServerAlias but to have separate vhost directive.
<VirtualHost *:80>
ServerName www.mydomain.com
Redirect permanent "/" "https://mydomain.com/"
</VirtualHost>
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot /var/www/mydomain.com/public
ErrorLog /var/www/mydomain.com/error.log
CustomLog /var/www/mydomain.com/access.log combined
</VirtualHost>