Setting up LetsEncrypt (revision 1)

Introduction

This page describes how Alexis Huxley obtains and renews LetsEncrypt-based SSL certificates. It is all to be executed on the front-end web server (not any back-end servers).

Procedure

Prologue

1. Ensure the firewall is forwarding port 443 to the appropriate host.
2. Run:

   add-apt-repository ppa:certbot/certbot

   This may fail with the error message:

   gpg: no valid OpenPGP data found.
   Failed to add key.
   

   If that happens then run:

   apt-key adv --keyserver pgp.rediris.es --recv-keys 75BCA694

3. Run:

   apt-get update
   apt-get -y install python-certbot-apache
   a2enmod ssl
   systemctl restart apache2
   certbot --apache
   

   and follow the prompts.

4. Note the messages:

   Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<website>/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<website>/privkey.pem
   Your cert will expire on 2017-12-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

Per-vhost

1. Define variables:

   VHOST=<name-of-vhost>    #  e.g. VHOST=hsrs2019.freemyip.com

2. If not already done, then enable http (not https) access to the vhost as follows:
   1. Edit /etc/apache2/sites-available/$VHOST.conf and add the following:

      <VirtualHost *:80>
          ServerName VHOST
          ServerAdmin webmaster@dont-use-this-address
          CustomLog /var/log/apache2/VHOST-access.log combined2
          ErrorLog /var/log/apache2/VHOST-error.log
          LogLevel warn
          ServerSignature Off
      
          DocumentRoot /var/www/VHOST
          <Directory /var/www/VHOST>
              Require all granted
           </Directory>
      </VirtualHost>

   2. Substitute markers by running:

      sed -i "s/VHOST/$VHOST/g" /etc/apache2/sites-available/$VHOST.conf

   3. Create the document root:

      sed -n -s 's/.*DocumentRoot *//p' /etc/apache2/sites-available/$VHOST.conf | xargs mkdir

   4. If not already done, then enable the vhost:

      a2ensite $VHOST
      systemctl reload apache2

   5. If not already open, then open port 80 on the firewall and direct it to the right host.
3. Obtain the certificate by running:

   certbot certonly

   and when prompted for the authentication method specify 3 (place files in webroot directory), the domain ($VHOST) and enter the document root (/var/www/$VHOST).

4. If necessary, disable http access to the vhost (by undoing whatever you did above).
5. Enable https access to the host as follows:
   1. Edit /etc/apache2/sites-available/$VHOST-ssl.conf and add the following:

      <IfModule mod_ssl.c>
          <VirtualHost *:443>
              ServerName VHOST
              ServerAdmin webmaster@dont-use-this-address
              CustomLog /var/log/apache2/VHOST-access.log combined2
              ErrorLog /var/log/apache2/VHOST-error.log
              LogLevel warn
              ServerSignature Off
              Include /etc/letsencrypt/options-ssl-apache.conf
              SSLCertificateFile /etc/letsencrypt/live/VHOST/fullchain.pem
              SSLCertificateKeyFile /etc/letsencrypt/live/VHOST/privkey.pem
          </VirtualHost>
      </IfModule>

   2. Substitute markers by running:

      sed -i "s/VHOST/$VHOST/g" /etc/apache2/sites-available/$VHOST-ssl.conf

   3. If not already done, then enable the vhost:

      a2ensite $VHOST-ssl
      systemctl reload apache2

   4. If not already open, then open port 443 on the firewall and direct it to the right host.
6. Restart your browser (Chromium, for example, does not detect if the a certificate becomes valid).
7. Visit https://$VHOST/ and verify the certificate is now valid.

See also

• Configuring web services
• Computing
• Alexis Huxley