Secure Apache with Let’s Encrypt Certificate on Rocky Linux

In our previous guide, we walked you through the installation of the LAMP stack on Rocky Linux and further proceeded to configure Apache virtual hosts in case you need to host multiple websites on a single server.

But it doesn’t just end there. Website security is now one of the greatest concerns across most organizations and users alike in the face of growing cyber threats. There are several ways of securing your website. One of the primary ways of implementing some basic protection against hackers is to encrypt your site using an SSL/TLS certificate.

An SSL/TLS certificate is a cryptographic certificate that authenticates the identity of your website and encrypts data exchanged between a user’s browser and a webserver.

In effect, your site switches from using the HTTP protocol which sends data in plain text to HTTPS (HTTP Secure) which encrypts the data. Without encryption, hackers can easily get a hold of confidential information such as usernames and passwords by eavesdropping on the data exchanged between the web server and the browser.

A while back, Google made a point of alerting users visiting unencrypted sites by placing a ‘Not secure’ label on the URL bar. This is to want users of the risk involved while browsing the site.

If you are a website owner, you certainly wouldn’t want to put your clients and website visitors at risk of having their personal information exposed to hackers. It’s for this reason that installing an SSL certificate on your webserver is a fundamental step towards securing your site.

In this guide, we will show you how to secure an Apache web server on Rocky Linux 8 using Lets Encrypt SSL Certificate.

Prerequisites

For this to work, you need to have your domain pointed to your website’s Public IP address. Therefore, you need to head over to your web host and ensure the domain name is pointing to the IP of your webserver.

Here, we have the domain tecmint.info pointed to the public IP address of our virtual server.

Domain Point to IP Address
Domain Point to IP Address

Step 1: Install EPEL Repo in Rocky Linux

We start off by installing prerequisite packages which will prove beneficial along the way. We will install the EPEL repository and the mod_ssl package which is a security module for Apache HTTP server that provides strong cryptography by leveraging SSL/TLS protocols using OpenSSL.

$ sudo dnf install epel-release mod_ssl
Install EPEL Repo in Rocky Linux
Install EPEL Repo in Rocky Linux

Step 2: Install Certbot in Rocky Linux

Let’s now install Certbot – is a client that fetches the SSL certificate from the Let’s Encrypt authority and automates its installation and configuration. This eliminates the pain and hustle of accomplishing the entire process manually.

$ sudo dnf install certbot python3-certbot-apache 

Certbot is now fully installed and well-configured.

Step 3: Installing an SSL Certificate for Apache in Rocky Linux

The last step is to retrieve and install the Let’s Encrypt SSL Certificate. To achieve this, run the command:

$ sudo certbot --apache

This sets off a series of prompts. First, you will be required to provide your email address. Next, skim through the Terms of Service in the URL provided and press 'Y' to agree with the Terms, and hit ENTER.

Next, you will be asked if you are willing to share your email address with EFF (Electronic Frontier Foundation) which is the founding partner of Let’s Encrypt.

By sharing your email address, you will subscribe to news, campaigns, and other updates about the organization. If you are comfortable providing your email address, press 'Y', otherwise, press 'N' and hit ENTER.

The next prompt will provide a list of domains based on your web server configuration and ask you which one you prefer to enable HTTPS on. You can choose either '1' or '2'. But for uniformity, simply press ENTER to enable HTTPS to all the domains.

Certbot will finalize the installation and configuration of Let’s Encrypt and save the security keys in the /etc/letsencrypt/live/yourdomain/ path.

Install SSL for Apache in Rocky Linux
Install SSL for Apache in Rocky Linux

If everything went according to plan, you will get the output displayed.

SSL Enabled for Apache in Rocky Linux
SSL Enabled for Apache in Rocky Linux

Step 4: Auto-Renew SSL Certificate for Apache in Rocky Linux

Certbot provides a script for renewing the certificate just a few days before its expiry. You can perform a dry run to test the script as shown.

$ sudo certbot renew --dry-run

Now, to automate the renewal of the certificate by the script, edit the crontab.

$ crontab -e

Specify the cron job shown and save the changes.

0 * * * * /usr/sbin/certbot-auto renew
Renew SSL for Apache on Rocky Linux
Renew SSL for Apache on Rocky Linux

Step 4: Verify Apache SSL Certificate in Rocky Linux

To confirm that your site is encrypted, simply head over to your browser and reload your website. This time around, you should see a padlock icon just before the website’s URL.

Check Apache SSL Certificate
Check Apache SSL Certificate

To gather more details, click on the icon and click on the ‘Certificate’ option in the menu that appears.

Check Apache SSL Certificate Info
Check Apache SSL Certificate Info

This populates all the certificate’s details as provided.

View Apache SSL Certificate Info
View Apache SSL Certificate Info

You can test the strength of your certificate by heading over to the SSL Labs Test. Provide the website’s URL or domain name and hit ENTER.

You should get a A rating as indicated here.

Check SSL Certificate Rating
Check SSL Certificate Rating
Conclusion

If you have come this far, then you should be in a position to encrypt your Apache web server using the Let’s Encrypt SSL Certificate by leveraging the Certbot client from EFF.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

James Kiarie
This is James, a certified Linux administrator and a tech enthusiast who loves keeping in touch with emerging trends in the tech world. When I'm not running commands on the terminal, I'm taking listening to some cool music. taking a casual stroll or watching a nice movie.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

3 Comments

Leave a Reply
  1. Hi there,

    Thank you for your article…

    There is an error in the “Step 4: Auto-Renew SSL Certificate for Apache in Rocky Linux”.

    Your cron references “/usr/sbin/certbot-auto-renew” but your dry run was doing “certbot renew –dry-run“.

    I do not find certbot-auto in /usr/sbin/ either “certbot“. “certbot” is a link to the current installed version and it is in /usr/bin.

    So I think the cron should be :

    0 * * * * /usr/bin/certbot renew
    
    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.