Don’t Let Browsers “Blacklist” Your Website
Imagine a customer visiting your site and seeing a bright red “Not Secure” warning. Statistics show that over 70% of users leave immediately upon seeing this alert. Currently, Google prioritizes HTTPS pages, which account for over 95% of traffic on Chrome. Therefore, SSL/TLS is no longer a “nice to have” but a mandatory standard if you don’t want your website’s SEO ranking to plummet.
In the past, installing SSL certificates on CentOS 7 was quite a chore. You had to purchase certificates from a Certificate Authority (CA) and manually configure .crt and .key files, which was highly prone to errors. With CentOS Stream 9, everything has changed thanks to Let’s Encrypt and Certbot. Getting that “green padlock” is now completely free and takes only about 5 minutes.
Three Core Concepts You Need to Know
Before we start typing commands, let’s review the components we’ll be using:
- SSL/TLS: The protocol for encrypting data between the browser and the server. In reality, TLS is the upgrade to SSL, but we often use “SSL” as a general term.
- Let’s Encrypt: A certificate authority that provides free, trusted digital certificates recognized by all major browsers.
- Certbot: A command-line tool (CLI) that helps you request new certificates and automate renewals. Think of it as an automated assistant that edits your Apache or Nginx configuration files for you.
Preparing the Environment on CentOS Stream 9
For a smooth installation, you’ll need a VPS running CentOS Stream 9. Ensure your domain points to the server’s IP and you have root privileges.
First, since Certbot is not in the official software repositories, we need to enable the EPEL (Extra Packages for Enterprise Linux) repo:
sudo dnf install epel-release -y
sudo dnf update -yA classic mistake for beginners is forgetting to open the firewall ports. If ports 80 and 443 are blocked, Certbot won’t be able to verify your domain.
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reloadDeploying SSL for Apache (httpd)
If you’re running Apache, Certbot has a dedicated plugin. It automatically scans your Virtual Host files and inserts the SSL configuration in the correct place.
1. Install Certbot and the Apache Plugin
sudo dnf install certbot python3-certbot-apache -y2. Run the Certificate Issuance Command
The command below starts the automatic setup process. You’ll just need to enter your email to receive notifications when the certificate is about to expire.
sudo certbot --apacheDuring execution, Certbot will display a list of domains you’ve configured. Select the corresponding number or press Enter to select all. When asked about redirecting from HTTP to HTTPS, I recommend choosing Yes (usually option 2). This ensures all traffic is automatically encrypted.
Deploying SSL for Nginx
With Nginx, the process is just as simple. The Certbot plugin on CentOS Stream 9 is extremely stable and won’t mess up your existing configuration.
1. Install Certbot and the Nginx Plugin
sudo dnf install certbot python3-certbot-nginx -y2. Run Certbot to Obtain the Certificate
sudo certbot --nginxCertbot will automatically find the server_name lines in your Nginx config files. If it doesn’t recognize them, double-check your configuration files in /etc/nginx/conf.d/ to ensure the domain is correctly declared.
Pro tip: If you want to manually configure the file to optimize performance yourself, use the certonly command:
sudo certbot certonly --nginxAuto-renewal Mechanism
Let’s Encrypt certificates are only valid for 90 days. This can be a downside if you’re forgetful. One of my clients’ websites once “went down” simply because the certificate expired right on New Year’s Day.
Fortunately, when installing Certbot via DNF, the system automatically creates a systemd timer. This timer runs a check twice a day to renew certificates nearing expiration (usually within 30 days). You can check its status with the command:
sudo systemctl list-timers | grep certbotTo ensure everything is working perfectly, run a dry-run renewal simulation:
sudo certbot renew --dry-runIf you see the line “Congratulations, all simulated renewals succeeded”, you can sleep soundly.
Real-world Tips to Avoid Errors
Here are a few experiences I’ve gathered after many deployments:
- DNS Propagation: If you just pointed your domain, running Certbot immediately will likely result in an error. Wait about 15-30 minutes for DNS to fully update.
- Hidden Folders: Ensure your web server doesn’t block access to the
.well-knowndirectory. This is where Certbot places temporary validation files. - Rate Limits: Let’s Encrypt limits you to 50 certificates per domain per week. Avoid running the issuance command too many times in a short period to prevent a temporary IP block.
Conclusion
Installing SSL on CentOS Stream 9 is now much easier. With just a few steps, your website is not only more secure but also more professional in the eyes of users. If you plan to migrate your system from CentOS 7 to CentOS Stream 9, remember to back up the /etc/letsencrypt/ directory to keep your old certificates. Good luck!
