How to secure Apache with Let’s Encrypt Certificates on RHEL 8


I read that Let’s Encrypt is a free, automated, and open certificate for web server and other usages. How do I secure Apache with Let’s Encrypt Certificates on RHEL 8?

Introduction – Let’s Encrypt is a free, automated, and open certificate authority for your website powered by Apache web server. This page shows how to use Let’s Encrypt to install a free SSL certificate for Apache web server. You will learn how to properly deploy Diffie-Hellman on your server to get SSL labs A+ score on an RHEL 8.

How to install Let’s Encrypt SSL certificate to secure Apache on RHEL 8

Our sample setup is as follows:

How to Install Let's Encrypt SSL Certificate to Secure Apache on RHEL 9
Secure Apache with Let’s Encrypt on RHEL 8

How to secure Apache with Let’s Encrypt Certificates on RHEL 8

The procedure is as follows to obtaining an SSL certificate:

  1. Install SSL/TLS module for the Apache HTTP server in RHEL 8: sudo dnf install mod_ssl
  2. Get software on RHEL 8: git clone
  3. Create a new /.well-known/acme-challenge/ directory using: mkdir -p /var/www/html/.well-known/acme-challenge/
  4. Obtain an SSL certificate your domain: --issue -w /DocumentRootPath/ -d your-domain
  5. Configure TLS/SSL for Apache on RHEL 8: vi /etc/httpd/conf.d/ssl.conf
  6. Setup a cron job for auto renewal of SSL/TLS certificate
  7. Open port 443 (HTTPS):sudo firewall-cmd --add-service=https

Let us see how to install client and use it on a RHEL 8 to get an SSL certificate from Let’s Encrypt.

Step 1 – Install mod_ssl for the Apache

Type the following dnf command:
$ sudo dnf install mod_ssl
How to install mod_ssl on RHEL 8

Step 2 – Install Let’s Encrypt client

You need to install wget on RHEL 8, curl, bc, socat and git client on RHEL 8 in order use, run:
$ sudo dnf install wget curl bc git socat

Clone the repo

$ cd /tmp/
$ git clone

Next, install client on to your system, run:
$ cd
$ sudo -i
# cd
# ./ --install

How to setup Let's Encrypt certificates on RHEL with
Now we have needed software on the RHEL 8 box. You must close the current terminal or ssh session and reopen again to make the alias take effect. Or type the following source command:
$ sudo source ~/.bashrc
Verify that working, run:
# --list

Step 3 – Create acme-challenge directory

Type the following mkdir command. Make sure you set D to actual DocumentRoot path as per your needs:
# D=/var/www/html/
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R apache:apache ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Also, create a directory to store SSL certificate:
# mkdir -p /etc/httpd/ssl/

Step 4 – Create dhparams.pem file

Run the openssl command:
# cd /etc/httpd/ssl/
# openssl dhparam -out dhparams.pem -dsaparam 4096

How to speed up OpenSSL/GnuPG Entropy For Random Number Generation On Linux

Step 5 – Obtain a SSL/TLS certificate for domain

Issue a certificate for your domain. The syntax is:
# --issue -w /path/to/www/htmlRoot/ -d your-domain-example-com -k 2048
# --issue -w /path/to/www/htmlRoot/ -d -k 4096
# --issue -w /var/www/html/ -d -k 4096

Create a free Apache SSL certificate with Let's Encrypt on RHEL 8
Requesting a free Apache SSL certificate with Let’s Encrypt on RHEL 8 (click to enlarge)

Step 6 – Configure Apache to use SSL/TLS

Edit the file named /etc/httpd/conf.d/ssl.conf using a text editor such as vi command:
$ sudo vi /etc/httpd/conf.d/ssl.conf
Append/update as follows:

Save and close the file and exit from vim text editor.

A note about more secure SSL options

Update above config as follows to disable SSL and TLS version 1/1.1:

Please see this page for more info.

Step 7 – Install certificate

Type the following command:
# --installcert -d
--keypath /etc/httpd/ssl/
--fullchainpath /etc/httpd/ssl/
--reloadcmd 'systemctl reload httpd'

Install and secure Apache with Let's Encrypt certificates

Now our Apache up and running with mod_ssl. It is time to open TCP port # 443 (HTTPS) on RHEL 8 box so that clients can connect to it. Update the rules as follows:
$ sudo firewall-cmd --permanent --add-service=https --zone=public
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-services --zone=public

How to open HTTPS port 443 using firewalld on RHEL 8
Use a firewalld tool to open https port 443

Verify that port 443 and 80 open and listing state with the help of ss command along with the grep command/egrep command:
$ sudo ss -tulpn
$ sudo ss -tulpn | egrep ':(80|443)'

Step 9 – Test it

Fire a web browser and type your domain such as: HTTPS test
HTTPS based site in action

Test it with SSLlabs test site:
Getting an A+ rating on ssllabs ssltest

Step 10 – commands

List all SSL/TLS certificates, run:
# --list
Renew a cert for domain named
# --renew -d
Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:
# crontab -l
Sample outputs:

Upgrade client:
# --upgrade
Getting help:
# --help | more


This page showed how to install a free SSL/TSL certificate from Let’s Encrypt to secure communication between Apache and browsers, on an RHEL 8 server. For more info see Apache mod_ssl documents here.



Facebook Comments

Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button