Nathan Cheek

Now that I’m hosting my site on a full Linux vm, I can use Let’s Encrypt to encrypt connections to my website. As I found out, it is extremely easy to set up.

First, install letsencrypt

# yum install letsencrypt

Second, stop the web server. This is so the letsencrypt program can use port 80 to verify that the domain names you are requesting a cert for are actually under your control.

# systemctl stop httpd

Now, run the interactive letsencrypt program.

# letsencrypt

It will ask for an email address, then there is a license to accept, and finally you can enter the domains you are requesting the cert for.

After this, the key/cert should be located at:

/etc/letsencrypt/live/<hostname>

Next up, we configure Apache.

vi /etc/httpd/conf/httpd.conf

I simply added a VirtualHost to catch incoming SSL (port 443) requests, and two VirtualHosts for redirecting HTTP (port 80) requests to use https.

<VirtualHost *:80>
    ServerName www.nathancheek.com
    Redirect permanent / https://www.nathancheek.com/
</VirtualHost>

<VirtualHost *:80>
    ServerName nathancheek.com
    Redirect permanent / https://www.nathancheek.com/
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/nathancheek.com/cert.pem"
    SSLCertificateChainFile "/etc/letsencrypt/live/nathancheek.com/chain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/nathancheek.com/privkey.pem"
</VirtualHost>

Finally, start Apache.

# systemctl start httpd

That’s all it takes to encrypt a website running on Apache.

Now, since letsencrypt certs expire after 90 days, we should automate renewal. I added the following rule to /etc/crontab which will request a new cert at 5:00 AM on the first of every month.

0 5 1 * * root letsencrypt certonly -d nathancheek.com -d www.nathancheek.com --renew-by-default --webroot -w /var/www/nathancheek.com && systemctl reload httpd

Note that each domain name is specified with a -d flag. Also, this command uses the webroot plugin specifying where to place a temporary file. This allows the letsencrypt service to verify that you have control over those domains without having to stop the Apache service like we did before.