Last year I was suggesting to use StartSSL/StartCom to get free SSL certificates and easily enable HTTPS for websites. Apparently now Chrome and Firefox have distrusted their certificates and considered my site as a "malicious" site after then. I went online and looked for alternatives and Let's Encrypt is a really great service (free & more freedom). Here I log the process how did I switch to certificates with Let's Encrypt.
In this log/tutorial, I assume websites have already enabled SSL (e.g., using conf.d in httpd as demonstrated in this earlier post) and are using Apache version less than 2.4.8. Also, I'm using Debian 7. Otherwise, try to follow instruction here.
Install Certbot
We need to first stop Apache by (a must do especially if you are using a small RAM VPS like I do.. to free up some RAM for future python package installation)
sudo apachectl stop
Now we first download the required Let's Encrypt bot for fetching the certificate and give it executable command. You can download it anywhere with some easy path to remember. For example,
cd /home/happyz.me/lib/ wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
Then just simply run the bot to install necessary python packages.
/home/happyz.me/lib/certbot-auto
I got some errors about pip version, and had to update it by
sudo pip install --upgrade pip
And if you get error in installing any python packages, one possibility is due to a small RAM. Try to stop Apache and other services to free up some RAM for installation. After then you can re-enable these services.
If there were any problems, try to remove the folder /home/happyz.me/.local/share/letsencrypt and re-install the bot.
Request Certificates
For the first time running the bot, you need to enter your email address and make some agreement on the policy. Go ahead and do that. Then it will ask
Which names would you like to activate HTTPS for?
Press c to cancel. Since Certbot currently does not support multiple vhost in single config file in conf.d, we'd better do it on our own (plus, we had SSL enabled already and I personally didn't want to mess up things with that).
After you quit the certbot, we run it again with the following command
/home/happyz.me/lib/certbot-auto --apache certonly -d your_root_domain -d www.your_root_domain -d blog.your_root_domain
As far as I know, you can append any sub-domain as possible, but the first domain must be the root domain. After a few seconds, you will get confirmation that certification has been downloaded into folder /etc/letsencrypt/live/your_root_domain/.
Enable SSL Using These Certificates
<IfModule mod_ssl.c> <VirtualHost *:443> SSLEngine On SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 Header add Strict-Transport-Security "max-age=31536000" SSLHonorCipherOrder On SSLCompression Off SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLCertificateFile /etc/letsencrypt/live/your_root_domain/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/your_root_domain/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/your_root_domain/chain.pem ServerAdmin admin ServerName blog.happyz.me DocumentRoot path/to/directory_of_website <Directory "path/to/directory_of_website"> Options FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog path/to/error/log CustomLog path/to/access/log combined </VirtualHost> </IfModule>
As usual, SSLCipherSuite is referred from https://wiki.mozilla.org/Security/Server_Side_TLS with modern configuration..
Update Certificate Weekly/Daily
Since Let's Encrypt only gives certificate that is valid in a week, we need to update it. Luckily, this is very simple. Partially because we use the path /etc/letsencrypt/live/your_root_domain/, and it is automatically updated along with the latest certificate, we can easily update our certificate by adding a cron job. You have to be sudo in order to periodically update the certificate:
sudo -i crontab -e
Press i to insert and paste the following (renew certificate every Sunday at 1:15am)
15 1 * * 0 /home/happyz.me/lib/certbot-auto renew --no-self-upgrade >> /var/log/happyz.me-renew.log
Then press Esc and type in :wq to save and quit.
Then simply restart Apache and we are good.
sudo apachectl start
1 comment