Securing your Apache web server with a free SSL/TLS certificate from Let’s Encrypt is one of the most important steps you can take to protect your visitors and improve your site’s trustworthiness. Certbot, the official Let’s Encrypt client, automates the entire certificate issuance and renewal process. On RHEL 8, Certbot is available through the EPEL repository and integrates seamlessly with Apache via the python3-certbot-apache plugin. This tutorial walks you through installing Certbot, obtaining a certificate, and setting up automatic renewal.
Prerequisites
- A RHEL 8 server with a non-root user that has
sudoprivileges - Apache installed and running (
httpdservice active) - A registered domain name with an A record pointing to your server’s public IP address
- Port 80 and port 443 open in
firewalld - EPEL repository enabled on the system
Step 1 — Enable the EPEL Repository and Install Certbot
Certbot is not included in the default RHEL 8 repositories, so you must first enable EPEL. Once enabled, install Certbot along with its Apache plugin.
sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf install -y certbot python3-certbot-apacheVerify the installation by checking the Certbot version:
certbot --versionStep 2 — Open Firewall Ports for HTTPS
Before requesting a certificate, ensure that firewalld allows both HTTP (port 80) and HTTPS (port 443) traffic. Let’s Encrypt uses port 80 for its HTTP-01 challenge during the initial issuance.
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
sudo firewall-cmd --list-servicesStep 3 — Obtain and Install the SSL Certificate
Run the Certbot Apache plugin with the --apache flag. Certbot will automatically detect your virtual host configuration, obtain the certificate, and configure mod_ssl for you. Replace example.com with your actual domain.
sudo certbot --apache -d example.com -d www.example.comCertbot will prompt you for an email address for renewal notices and ask you to agree to the Let’s Encrypt Terms of Service. It will then perform the domain validation challenge and, upon success, install the certificate. The plugin automatically edits your Apache virtual host to enable SSL and sets up a redirect from HTTP to HTTPS.
Step 4 — Verify the mod_ssl Configuration
Certbot enables the Apache mod_ssl module automatically. Confirm it is loaded and that your SSL virtual host configuration was written correctly.
httpd -M | grep ssl
sudo cat /etc/httpd/conf.d/example.com-le-ssl.confYou should see ssl_module (shared) in the output. The generated configuration file will contain directives such as SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile pointing to the certificate files stored under /etc/letsencrypt/live/example.com/.
Step 5 — Test the SSL Certificate with curl
Use curl to send a HEAD request to your domain over HTTPS and confirm that the server responds with a valid certificate and the correct status code.
curl -I https://example.com
curl -vI https://example.com 2>&1 | grep -E "SSL|TLS|subject|issuer|expire"A successful response will show HTTP/1.1 200 OK (or a 301 redirect from the HTTP version) and the verbose output will display the Let’s Encrypt certificate details including the subject, issuer, and expiry date.
Step 6 — Automate Certificate Renewal
Let’s Encrypt certificates expire after 90 days. Certbot installs a systemd timer unit (certbot.timer) that automatically renews certificates before they expire. Verify the timer is enabled and test the renewal process with a dry run.
sudo systemctl status certbot.timer
sudo systemctl enable --now certbot.timer
sudo certbot renew --dry-runThe timer runs twice daily by default. The --dry-run flag simulates renewal without actually contacting the Let’s Encrypt servers, allowing you to confirm that the renewal process will succeed when the time comes. If the dry run completes without errors, your automatic renewal is correctly configured.
Conclusion
Your Apache server on RHEL 8 is now secured with a free, automatically renewing SSL/TLS certificate from Let’s Encrypt. Certbot handled the certificate issuance, the mod_ssl configuration, and the HTTP-to-HTTPS redirect automatically. The enabled certbot.timer ensures your certificate stays valid without any manual intervention, keeping your site trusted by browsers and search engines alike.
Next steps: How to Configure Apache Virtual Hosts on RHEL 8, How to Enable HTTP/2 with Apache on RHEL 8, and How to Configure Nginx as a Reverse Proxy on RHEL 8.
