This is a quick guide of how I setup letsencrypt on a Apache server with 3 SSL Virtual Hosts.
* Apache with SNI support and virtualhosts already configured.
* Virtualhost web dir is /var/www/vhosts and conf dir is /etc/httpd/conf.d . Assuming one conf file per vhost.
* UPDATE: Old way has been replaced with certbot: https://www.eff.org/sv/deeplinks/2016/05/announcing-certbot-new-tls-robot , instruction below has been updated.
* Im using RHEL7 so enabling EPEL repo: https://fedoraproject.org/wiki/EPEL
* Since its RHEL7, I also need to enable Optional repo with: subscription-manager repos –enable=rhel-7-server-optional-rpms
yum install certbot certbot certonly -a webroot -w /var/www/vhosts/site1.domain.com/ -d site1.domain.com -w /var/www/vhosts/site2.domain.com/ -d site2.domain.com -w /var/www/vhosts/site3.domain.com/ -d site3.domain.com
Update all apache configuration files for your vhosts in /etc/httpd/conf.d , comment out existing certificate files and add the new certificate:
SSLCertificateFile /etc/letsencrypt/live/..../cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/..../privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/..../fullchain.pem
Restart apache: systemctl restart httpd
Verify that the new certificates are working fine.
The certificates are only valid for a few months so you need to renew them or else they will expire.
I use the below script /usr/local/bin/letsencrypt-renew that I run as a cronjob:
#!/bin/bash /usr/bin/certbot certonly --config /etc/letsencrypt/cli.ini -w /var/www/vhosts/site1.domain.com/ -d site1.domain.com -w /var/www/vhosts/site2.domain.com/ -d site2.domain.com -w /var/www/vhosts/site3.domain.com/ -d site3.domain.com if [ "$?" -eq "0" ]; then /bin/systemctl restart httpd fi
The config file /etc/letsencrypt/cli.ini contains:
authenticator = webroot renew-by-default
And the cronjob /etc/cron.d/letsencrypt-renew runs at 08:00 the first day of the month every 2 months.
00 08 01 */2 * root /usr/local/bin/letsencrypt-renew >/var/log/letsencrypt-renew.log 2>&1
You can also add monitoring of certificate expiry using the check_http nagios plugin if you like:
check_http -H siteX.domain.com -S -C 30 --sni
This will trigger an alert if the certificate expires in less than 30 days which it never should if the letsencrypt-renew cronjob is running correctly.