Secure Apache with Let\'s Encrypt Certificate on Rocky Linux

To secure Apache with a Let's Encrypt certificate on Rocky Linux, administrators can guarantee secure communication over HTTPS. By obtaining and installing a Let's Encrypt certificate, Apache can encrypt data transmission, enhancing security and protecting sensitive information. This process involves configuring Apache to utilize the certificate, enabling HTTPS for the website, and ensuring that all communication between the server and clients is encrypted. Let's Encrypt certificates are trusted by major browsers, providing a cost-effective and widely recognized solution for securing Apache web servers on Rocky Linux.

Prerequisites

Before beginning the certificate installation process, ensure the following requirements are met

• Rocky Linux server with Apache HTTP server installed and running

• A registered domain name pointing to your server's IP address

• Root or sudo privileges on the server

• Firewall configured to allow HTTP (port 80) and HTTPS (port 443) traffic

Installing Certbot

Certbot is the official ACME client for Let's Encrypt. First, install the EPEL repository and then install Certbot with the Apache plugin

sudo dnf install epel-release -y
sudo dnf install certbot python3-certbot-apache -y

Obtaining a Let's Encrypt Certificate

Getting a Let's Encrypt certificate involves the process of requesting and obtaining a valid certificate from Let's Encrypt. This typically includes proving domain ownership and generating a certificate that's trusted by Let's Encrypt. The certificate acts as a digital credential that verifies the authenticity of the server and enables secure communication over HTTPS.

Step-by-Step Process

Use the following command to obtain and automatically configure the certificate for Apache

sudo certbot --apache -d your-domain.com -d www.your-domain.com

During the process, Certbot will

• Verify domain ownership through HTTP-01 challenge

• Generate the SSL certificate and private key

• Automatically update Apache configuration

• Create a redirect from HTTP to HTTPS

Manual Configuration Steps

If you prefer manual configuration, follow these steps

1. Obtain certificate only (without auto-configuration)

   sudo certbot certonly --webroot -w /var/www/html -d your-domain.com
   

2. Certificates will be stored in /etc/letsencrypt/live/your-domain.com/

3. Key files include

   • fullchain.pem Certificate file

   • privkey.pem Private key file

Configuring Apache for HTTPS

Configuring Apache involves modifying the server configuration to enable HTTPS and specifying the appropriate settings for using the obtained certificate. This includes updating the Apache virtual host configuration to listen on HTTPS port 443 and configuring SSL/TLS settings.

Virtual Host Configuration

Create or modify the SSL virtual host configuration file

sudo nano /etc/httpd/conf.d/ssl.conf

Add the following configuration

<VirtualHost *:443>
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem

    # Modern SSL configuration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off

    Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

HTTP to HTTPS Redirect

Configure automatic redirect from HTTP to HTTPS

<VirtualHost *:80>
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    Redirect permanent / https://your-domain.com/
</VirtualHost>

Testing and Verification

After configuration, test the Apache configuration and restart the service

sudo httpd -t
sudo systemctl restart httpd

Verify the SSL certificate installation

openssl s_client -connect your-domain.com:443 -servername your-domain.com

Automatic Certificate Renewal

Let's Encrypt certificates expire every 90 days. Set up automatic renewal using a cron job

sudo crontab -e

Add the following line to check for renewal twice daily

0 12 * * * /usr/bin/certbot renew --quiet

Test the renewal process

sudo certbot renew --dry-run

Security Best Practices

Troubleshooting Common Issues

• Certificate validation fails Ensure domain DNS points to your server

• Apache won't start Check configuration syntax with httpd -t

• Mixed content warnings Update all HTTP links to HTTPS in your website

• Firewall blocking Open ports 80 and 443 with firewall-cmd

Conclusion

Securing Apache with Let's Encrypt certificates on Rocky Linux provides free, automated SSL/TLS encryption for web servers. The process involves obtaining certificates through Certbot, configuring Apache virtual hosts for HTTPS, and setting up automatic renewal. This implementation ensures encrypted communication between clients and servers while maintaining cost-effectiveness and broad browser compatibility.