Secure Apache with Let’s Encrypt on AlmaLinux 9
This tutorial, brought to you by Orcacore, will guide you through the process of securing your Apache web server with Let’s Encrypt on AlmaLinux 9. Apache is the most widely used web server on Linux systems, responsible for serving web pages to client computers upon request. Let’s Encrypt is a free, automated, and open certificate authority (CA) provided by the Internet Security Research Group (ISRG), designed to make HTTPS accessible to everyone. Securing your web server with HTTPS is crucial for protecting sensitive data transmitted between your server and users, building trust, and improving your website’s SEO ranking. This article will explain "Secure Apache with Let’s Encrypt on AlmaLinux 9."
Let’s Encrypt offers two primary types of certificates: standard single-domain SSL certificates and Wildcard SSL certificates. The standard SSL covers only a single domain, while the Wildcard SSL extends coverage to all subdomains associated with the main domain. Both certificate types are issued for a period of 90 days, but many hosting providers, like SiteGround, offer automatic renewal services to simplify the management process.
These certificates are domain-validated, meaning they verify domain ownership, and don’t require a dedicated IP address. They are also supported on a wide range of hosting solutions. This comprehensive guide will provide a practical way to "Secure Apache with Let’s Encrypt on AlmaLinux 9."
Before proceeding, ensure you meet the following prerequisites:
- You have logged into your AlmaLinux 9 server as a non-root user with sudo privileges and have configured a basic firewall. Refer to the Orcacore article on "Initial Server Setup with AlmaLinux 9" for detailed instructions.
- Apache web server is already installed and running on your server. Consult the Orcacore guide on "How to Install an Apache Web server on AlmaLinux 9" for assistance.
Once you have fulfilled these requirements, follow the steps below to "Secure Apache with Let’s Encrypt on AlmaLinux 9."
1. Install Certbot on AlmaLinux 9
The first step is to install Certbot, the official Let’s Encrypt client, along with the necessary dependencies. Start by enabling the EPEL (Extra Packages for Enterprise Linux) repository and installing the mod_ssl package, which provides SSL/TLS encryption capabilities for Apache.
sudo dnf install epel-release mod_ssl -yNext, install Certbot and the Apache plugin, which automates the process of obtaining and installing Let’s Encrypt certificates for Apache.
sudo dnf install certbot python3-certbot-apache -yWith Certbot successfully installed, you’re ready to acquire an SSL certificate for your domain.
2. Get an SSL Certificate from Let’s Encrypt for Apache
Use Certbot to request and install the SSL certificate for your domain. The Apache plugin simplifies this process by automatically configuring Apache to use the certificate.
sudo certbot --apacheCertbot will guide you through an interactive process, prompting you for information.
First, it will ask for your email address, which will be used for renewal notifications and security alerts.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): sam@orcacore.com
...Enter your email address and press Enter.
Next, you’ll be asked to agree to the Let’s Encrypt terms of service.
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
...Type ‘Y’ and press Enter to agree.
You’ll then be given the option to share your email address with the Electronic Frontier Foundation (EFF).
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
...Choose ‘Y’ or ‘N’ as per your preference.
Finally, Certbot will prompt you to enter the domain names you want to secure with the certificate. Ensure your virtual host is correctly configured before this step.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): example.com
Requesting a certificate for example.com
...Enter your domain name (e.g., example.com) and press Enter.
After the process completes, you should see a message confirming that the certificate has been successfully obtained and installed.
Congratulations! You have successfully enabled HTTPS on example.com
You should test your configuration at:
-------------------------------------------------------------------------------
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2024-07-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. If you like, you can add
"--apache" to install this certificate now.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donateYour Let’s Encrypt certificate is now installed and configured for your Apache web server. Verify the installation by visiting your domain in a web browser. You should see a padlock icon in the address bar, indicating a secure connection. You’ve now secured Apache with Let’s Encrypt on AlmaLinux 9.
You can also use the SSL Labs server test to thoroughly verify your SSL configuration.
3. Set up Auto-Renewal Of Let’s Encrypt Certifications
Let’s Encrypt certificates are valid for 90 days. To ensure uninterrupted HTTPS service, it’s crucial to automate the renewal process. Certbot includes a built-in mechanism for automatic renewal. To test the renewal process without making any changes, run the following command:
sudo certbot renew --dry-runThis command simulates the renewal process and displays any potential errors or warnings. To automate the renewal process, you can create a systemd timer that runs the certbot renew command periodically.
sudo systemctl edit certbot.timerAdd the following content to the editor:
[Unit]
Description=Certbot Automatic Renewal
[Timer]
OnCalendar=daily
RandomizedDelaySec=60m
Persistent=true
[Install]
WantedBy=timers.targetSave and close the file. Then, enable and start the timer:
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timerYou can verify that the timer is running correctly with the following command:
sudo systemctl list-timers
Conclusion
You have successfully secured your Apache web server with Let’s Encrypt on AlmaLinux 9, enabling free SSL/TLS encryption for HTTPS access. This enhances security, builds trust with your users, and improves your website’s SEO.
Stay updated with Orcacore on Facebook, X, and YouTube for more helpful tutorials and articles.
You might also be interested in these related articles:
- Set up Nginx with Let’s Encrypt on AlmaLinux 9
- Configure Apache with Let’s Encrypt on Rocky Linux 8
- Install Apache Web Server with Let’s Encrypt on Debian 12
Now, let’s explore alternative approaches to securing Apache with Let’s Encrypt on AlmaLinux 9.
Alternative Solutions for Securing Apache with Let’s Encrypt
While Certbot is the recommended and most straightforward method, alternative solutions exist that may be suitable for specific environments or preferences. Here are two different approaches:
1. Using ACME.sh
ACME.sh is a lightweight, pure Unix shell script implementation of the ACME protocol (Automated Certificate Management Environment), which Let’s Encrypt uses. Unlike Certbot, it doesn’t require Python or any other dependencies besides a basic Unix environment. This can be advantageous in resource-constrained environments or when you prefer a minimal footprint. To effectively "Secure Apache with Let’s Encrypt on AlmaLinux 9", it’s good to know about alternatives.
Installation and Usage:
-
Install ACME.sh:
curl https://get.acme.sh | shThis command downloads and installs
acme.shin your home directory (~/.acme.sh). You may need to source the~/.bashrcor~/.zshrcfile to activate the alias.source ~/.bashrc # or source ~/.zshrc -
Issue the Certificate:
ACME.sh supports different ways of verifying domain ownership. For Apache, using webroot mode is generally the easiest. This method places a challenge file in your webroot directory, which Let’s Encrypt uses to verify your control over the domain.
acme.sh --issue --domain example.com --webroot /var/www/htmlReplace
example.comwith your actual domain name and/var/www/htmlwith the correct path to your webroot directory. -
Install the Certificate:
After successful issuance, you need to install the certificate and key in the appropriate locations for Apache.
ACME.shcan handle this automatically with the--installcertcommand.acme.sh --installcert -d example.com --certpath /etc/apache2/ssl/example.com.crt --keypath /etc/apache2/ssl/example.com.key --fullchainpath /etc/apache2/ssl/example.com.fullchain.crt --reloadcmd "sudo systemctl reload apache2"Adjust the paths to match your Apache configuration. The
--reloadcmdoption specifies the command to reload Apache after the certificate is updated. If you are using a different location for certificate storage, change the path accordingly. -
Configure Apache Virtual Host
Edit your Apache Virtual Host file to point to the new certificates. A basic configuration might look like this:<VirtualHost *:443> ServerName example.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/apache2/ssl/example.com.fullchain.crt SSLCertificateKeyFile /etc/apache2/ssl/example.com.key <Directory /var/www/html> AllowOverride All Require all granted </Directory> </VirtualHost> -
Auto-Renewal:
ACME.shautomatically renews certificates every 60 days using a cron job. You don’t need to configure anything manually.
2. Using a Web Hosting Control Panel
Many web hosting control panels, such as cPanel, Plesk, and DirectAdmin, offer built-in support for Let’s Encrypt. These panels provide a graphical interface for requesting and installing certificates, simplifying the process for users who prefer a visual approach. This is a great way to "Secure Apache with Let’s Encrypt on AlmaLinux 9", especially for beginners.
General Steps (may vary depending on the control panel):
- Log in to your control panel.
- Navigate to the SSL/TLS section. This may be labeled differently depending on the panel.
- Look for an option to install a Let’s Encrypt certificate.
- Select the domain name you want to secure.
- The control panel will automatically request and install the certificate.
The control panel typically handles certificate renewal automatically, so you don’t need to worry about manual renewal processes. The exact steps may vary depending on your specific control panel, so consult your hosting provider’s documentation for detailed instructions. These tools greatly simplify the way to "Secure Apache with Let’s Encrypt on AlmaLinux 9."
These alternative methods offer different approaches to securing your Apache web server with Let’s Encrypt, catering to various preferences and technical skill levels. While Certbot remains the recommended method for its ease of use and comprehensive features, ACME.sh provides a lightweight alternative, and web hosting control panels offer a user-friendly graphical interface for simplified certificate management.
