Quick setup of Lets Encrypt on Apache with virtual hosts

This is a quick guide of how I setup letsencrypt on a Apache server with 3 SSL Virtual Hosts.

* https://community.letsencrypt.org/t/quick-start-guide/1631
* https://community.letsencrypt.org/t/apache-configuration-example/2338
* https://community.letsencrypt.org/t/how-to-automatically-renew-certificates/4393

* CentOS7/RHEL7
* Apache with SNI support and virtualhosts already configured.
* Virtualhost web dir is /var/www/vhosts and conf dir is /etc/httpd/conf.d . Assuming one conf file per vhost.

* UPDATE: Old way has been replaced with certbot: https://www.eff.org/sv/deeplinks/2016/05/announcing-certbot-new-tls-robot , instruction below has been updated.
* Im using RHEL7 so enabling EPEL repo: https://fedoraproject.org/wiki/EPEL
* Since its RHEL7, I also need to enable Optional repo with: subscription-manager repos –enable=rhel-7-server-optional-rpms

yum install certbot
certbot certonly -a webroot -w /var/www/vhosts/site1.domain.com/ -d site1.domain.com -w /var/www/vhosts/site2.domain.com/ -d site2.domain.com -w /var/www/vhosts/site3.domain.com/ -d site3.domain.com

Update all apache configuration files for your vhosts in /etc/httpd/conf.d , comment out existing certificate files and add the new certificate:

SSLCertificateFile      /etc/letsencrypt/live/..../cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/..../privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/..../fullchain.pem

Restart apache: systemctl restart httpd

Verify that the new certificates are working fine.

The certificates are only valid for a few months so you need to renew them or else they will expire.
I use the below script /usr/local/bin/letsencrypt-renew that I run as a cronjob:

/usr/bin/certbot certonly --config /etc/letsencrypt/cli.ini -w /var/www/vhosts/site1.domain.com/ -d site1.domain.com -w /var/www/vhosts/site2.domain.com/ -d site2.domain.com -w /var/www/vhosts/site3.domain.com/ -d site3.domain.com
if [ "$?" -eq "0" ]; then
  /bin/systemctl restart httpd

The config file /etc/letsencrypt/cli.ini contains:

authenticator = webroot

And the cronjob /etc/cron.d/letsencrypt-renew runs at 08:00 the first day of the month every 2 months.

00 08 01 */2 * root /usr/local/bin/letsencrypt-renew >/var/log/letsencrypt-renew.log 2>&1

You can also add monitoring of certificate expiry using the check_http nagios plugin if you like:

check_http -H siteX.domain.com -S -C 30 --sni

This will trigger an alert if the certificate expires in less than 30 days which it never should if the letsencrypt-renew cronjob is running correctly.

Leave a Reply

Your email address will not be published. Required fields are marked *