Introduction
This page describes how Alexis Huxley obtains and renews LetsEncrypt-based SSL certificates. It is all to be executed on the front-end web server (not any back-end servers).
Installation
- Run:
apt -y install certbot python3-certbot-apache
- If not already done then run:
a2enmod ssl systemctl restart apache2
Per-vhost
This section assumes that /etc/apache2/sites-enabled/<websitename>-ssl.conf was set up according to Configuring web services (revision 2.1).
- Ensure that the website is accessible from the outside (for me this means making changes on my firewall/router).
- Ensure that the website is accessible via http and https (even if http redirects to https).
- Define variables:
WEBSITENAME=<name-of-website> # e.g. WEBSITENAME=home.pasta.freemyip.com
- Run:
certbot certonly --apache -d $WEBSITENAME
I did all sites in one go by running:
for F in /etc/apache2/sites-enabled/*-ssl.conf; do [[ $F =~ ^.*/([^/]*)-ssl.conf$ ]] certbot certonly --apache -d "${BASH_REMATCH[1]}" done - Expect to see:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: ...
- Edit /etc/apache2/sites-available/$WEBSITENAME-ssl.conf and comment out these lines:
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
and uncomment these lines:
Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/<websitename>/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/<websitename>/privkey.pem
- Run:
systemctl reload apache2
- Restart your browser (Chromium, for example, does not detect if the a certificate becomes valid).
- Visit your site and verify the certificate is now valid.