• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » How to Setup HTTPS on a CentOS 8 Server

How to Setup HTTPS on a CentOS 8 Server

April 11, 2020 - by Zsolt Agoston - last edited on April 18, 2020

Our goal is to make our website protected, configuring the HTTPS service on it to ensure encrypted traffic between the client and our server. We utilize Let’s Encrypt’s certbot, that will create and automatically renew the publicly signed SSL certificates for our site or multiple sites.

Before You Begin

We start with a basic webserver already configured on a CentOS box, and we assume the server is accessible publicly on the http and https ports. This is needed for the certbot agent to verify our domain ownership, otherwise the certificate deployment fails.

For a detailed guide on how to install a webserver on CentOS 8, click HERE 🙂

1. Install and run Certbot

It is a little more manual than on Debian or Ubuntu (see HERE), we need to download the certbot binary and run it manually. The binary will install all the prerequisits for us, then acquire the certificate for us, setting the virtual hosts up. We only need to create a scheduled task manually to ensure it is automatically renewed every three months.

Now start with downloading and running Certbot

sudo curl -O https://dl.eff.org/certbot-auto

sudo mv certbot-auto /usr/local/bin
sudo chmod 755 /usr/local/bin/certbot-auto

# Run Certbot for protectigate.com only.
sudo certbot-auto --apache -d protectigate.com -d www.protectigate.com

Note: you can omit the -d switches to get SSL certificates for all domains on your server
sudo certbot-auto --apache

All the required packages will be installed, then the cert configuration starts.

If you get the following error message just delete the broken config file

How to Setup HTTPS on a CentOS 8 Server

sudo rm /etc/httpd/conf.d/ssl.conf
#Run certbot again
sudo certbot-auto --apache -d protectigate.com -d www.protectigate.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): zsolt@opentechtips.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for protectigate.com
http-01 challenge for www.protectigate.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/protectigate.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/protectigate.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/protectigate.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/protectigate.com.conf to ssl vhost in /etc/httpd/conf.d/protectigate.com-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://protectigate.com and
https://www.protectigate.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=protectigate.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.protectigate.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/protectigate.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/protectigate.com/privkey.pem
Your cert will expire on 2020-07-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Now we can browse to the website we confirm that it is working and is protected

How to Setup HTTPS on a CentOS 8 Server

Automatize the SSL renewal

A cron job needs to be added to the server so it will check every 12 hours if the certificates are due to renew, if they are, they are auto-renewed

crontab -e

echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null

Aftermath

If you check you see that Certbot modified the original protectigate.com.conf file, adding auto-forwarding to HTTPS://protectigate.com

john@web:/etc/httdp/conf.d/ $ cat protectigate.com.conf
<VirtualHost *:80>
DocumentRoot /var/www/protectigate.com
ServerName protectigate.com
ServerAlias www.protectigate.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =protectigate.com [OR]
RewriteCond %{SERVER_NAME} =www.protectigate.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

A new protectigate.com-le-ssl.conf file is created for the HTTPS configuration

<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/protectigate.com
ServerName protectigate.com
ServerAlias www.protectigate.com

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/protectigate.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/protectigate.com/privkey.pem
</VirtualHost>
</IfModule>

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • Before You Begin
  • 1. Install and run Certbot
  • Automatize the SSL renewal
  • Aftermath

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}