Switch From StartSSL/StartCom To Let's Encrypt (Enable HTTPS For Websites)

Last year I was suggesting to use StartSSL/StartCom to get free SSL certificates and easily enable HTTPS for websites. Apparently now Chrome and Firefox have distrusted their certificates and considered my site as a "malicious" site after then. I went online and looked for alternatives and Let's Encrypt is a really great service (free & more freedom). Here I log the process how did I switch to certificates with Let's Encrypt.

In this log/tutorial, I assume websites have already enabled SSL (e.g., using conf.d in httpd as demonstrated in this earlier post) and are using Apache version less than 2.4.8. Also, I'm using Debian 7. Otherwise, try to follow instruction here.

Install Certbot

We need to first stop Apache by (a must do especially if you are using a small RAM VPS like I do.. to free up some RAM for future python package installation)

sudo apachectl stop

Now we first download the required Let's Encrypt bot for fetching the certificate and give it executable command. You can download it anywhere with some easy path to remember. For example,

cd /home/happyz.me/lib/
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Then just simply run the bot to install necessary python packages.

/home/happyz.me/lib/certbot-auto

I got some errors about pip version, and had to update it by

sudo pip install --upgrade pip

And if you get error in installing any python packages, one possibility is due to a small RAM. Try to stop Apache and other services to free up some RAM for installation. After then you can re-enable these services.

If there were any problems, try to remove the folder /home/happyz.me/.local/share/letsencrypt and re-install the bot.

Request Certificates

For the first time running the bot, you need to enter your email address and make some agreement on the policy. Go ahead and do that. Then it will ask

Which names would you like to activate HTTPS for?

Press c to cancel. Since Certbot currently does not support multiple vhost in single config file in conf.d, we'd better do it on our own (plus, we had SSL enabled already and I personally didn't want to mess up things with that).

After you quit the certbot, we run it again with the following command

/home/happyz.me/lib/certbot-auto --apache certonly -d your_root_domain -d www.your_root_domain -d blog.your_root_domain

As far as I know, you can append any sub-domain as possible, but the first domain must be the root domain. After a few seconds, you will get confirmation that certification has been downloaded into folder /etc/letsencrypt/live/your_root_domain/.

Enable SSL Using These Certificates

<IfModule mod_ssl.c>
<VirtualHost *:443> 
SSLEngine On 
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 
Header add Strict-Transport-Security "max-age=31536000"
SSLHonorCipherOrder On
SSLCompression Off
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLCertificateFile /etc/letsencrypt/live/your_root_domain/cert.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/your_root_domain/privkey.pem 
SSLCertificateChainFile /etc/letsencrypt/live/your_root_domain/chain.pem 
ServerAdmin admin
ServerName blog.happyz.me 
DocumentRoot path/to/directory_of_website 
<Directory "path/to/directory_of_website"> 
  Options FollowSymLinks 
  AllowOverride All 
  Require all granted 
</Directory> 
ErrorLog path/to/error/log
CustomLog path/to/access/log combined 
</VirtualHost>
</IfModule>

As usual, SSLCipherSuite is referred from https://wiki.mozilla.org/Security/Server_Side_TLS with modern configuration..

Update Certificate Weekly/Daily

Since Let's Encrypt only gives certificate that is valid in a week, we need to update it. Luckily, this is very simple. Partially because we use the path /etc/letsencrypt/live/your_root_domain/, and it is automatically updated along with the latest certificate, we can easily update our certificate by adding a cron job. You have to be sudo in order to periodically update the certificate:

sudo -i
crontab -e

Press i to insert and paste the following (renew certificate every Sunday at 1:15am)

15 1 * * 0 /home/happyz.me/lib/certbot-auto renew --no-self-upgrade >> /var/log/happyz.me-renew.log

Then press Esc and type in :wq to save and quit.

Then simply restart Apache and we are good.

sudo apachectl start

1 comment

Leave a comment

Your email address will not be published. Required fields are marked *