Let’s Encrypt SSL certificate issuing and renewal on CentOS 7 (Setup and Automate)

In this tutorial we’ll show how to obtain free Let’s Encrypt SSL certificates on CentOS 7 server. We’ll also show how to automate SSL certificate renewal process, so that certificates are always up to date and valid.

Let’s Encrypt is a free, automated, and open Certificate Authority (CA). This means that anybody can obtain free SSL certificate for their website that will be recognized as secure in all major browsers.

Certbot is automatic client (developed by EFF) that fetches Let’s Encrypt SSL/TLS certificates for your web server.

Install certbot client

  1. First make sure to enable EPEL repository.
  2. Install certbot client:
    yum -y install certbot

Obtain SSL certificate

  1. Obtain SSL certificate for example.com and www.example.com using certbot’s Webroot plugin:
    certbot certonly --webroot -w /path/to/website/root -d example.com -d www.example.com
  2. Enter email address (used for urgent notices and lost key recovery)
  3. Agree to Let’s Encrypt Terms of Service

After command successfully executes, folder /etc/letsencrypt/live/example.com will contain links to 4 files:

  • fullchain.pem – SSL certificate and intermediate certificate. This file should be referred in web server configuration when SSL certificate is installed.
  • cert.pem – SSL certificate.
  • chain.pem – Intermediate SSL certificate.
  • privkey.pem – Private key. This file should also be referred in web server configuration when SSL certificate is installed.

Setting up automatic renewal

  1. You can test if everything is OK:
    certbot renew --dry-run
    If command output reports that there are no errors you can automate renewal by creating cron job as root user.
  2. Open crontab:
    crontab -e
  3. Add these lines to crontab:
    0 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
    5 2 * * * /usr/sbin/sysctl reload nginx

First cron job executes each day at 2AM. It checks if any SSL certificate on server needs renewal and if it does, obtains new SSL certificate. Command output is appended to file le-renew.log. Other cron job reloads Nginx at 2:05AM, so if SSL certificate is renewed, it will be installed right after renewal.