Friday, March 25, 2022

How To Install a Let’s Encrypt SSL Certbot for Apache

 Certbot is part of EFF’s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.

Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate is. Certbot and Let’s Encrypt can automate away the pain and let you turn on and manage HTTPS with simple commands. Using Certbot and Let’s Encrypt is free, so there’s no need to arrange payment.

Installation of CertBot:

sudo apt update && sudo apt install certbot python-certbot-apache

Now lets get our new CertBot certificate

sudo certbot --apache

You will be asked some questions like your email, do agree to the Terms of Service and so on. Please fill them for your needs.

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Enter an email address where you can be contacted in case of urgent renewal and security notices.

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:

Press a and ENTER to agree to the Terms of Service.

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:

Press n and ENTER to not share your email address with EFF.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
2: www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Code language: PHP (php)

Now lets test our certificate

The site ssllabs.com/ssltest/ is perfect for testing

Auto Renewal

As Let’s Encrypt certs expire after 90 days, they need to be checked for renewal periodically. Certbot will automatically run twice a day and renew any certificate that is within thirty days of expiration.

To test that this renewal process is working correctly, you can run:

sudo certbot renew --dry-run
By at No comments:

CONFIGURING AUTO RENEWING LETSENCRYPT SSL CERTS WITH APACHE AND CERTBOT

 

INSTALLING THE SOFTWARE

As with the Nginx setup, you'll first want to ensure you have a clean environment before installing and configuring the Certbot software. If you've previously setup Certbot or had issues configuring it this step will wipe the slate clean to set you up for the instructions below:

sudo apt-get remove letsencrypt
sudo apt-get remove certbot

This software removal will leave your certificate configuration in place so don't worry if you already had a version installed but couldn't get renewal to work etc. The new version of Certbot will pick up your old certificates no problem.

Next, add the LetsEncrypt software repo and update your system to use it:

sudo apt-get install software-properties-common
sudo apt-get update

Now you can go ahead and install the latest version of certbot:

sudo apt-get install certbot

The following step is the one which differs between setting up on Apache and Nginx. Here you will add the Apache plugin for Certbot, which is used to automate the renewals:

sudo apt-get install python-certbot-apache

Now the software is installed you can begin configuring your sites to use SSL allowing them to serve content over HTTPS. The newly installed Certbot command will allow you to both generate and renew certificates at any time.

GENERATING SSL CERTIFICATES FOR APACHE

Certificates are generated based on the Apache vHosts you have setup on your server. As always we suggest you backup your existing vhosts before starting, as Certbot may modify the contents based on the options provided. At their most basic you will want to have the following added to each vHost:

<
VirtualHost
*:443>

    ServerName examplesite.com;
    DocumentRoot /var/www/examplesite.com
</VirtualHost>

You can now start the Certbot Apache wizard to generate the certificates.

sudo certbot --apache

You should now be presented with a list of sites detected by the Apache vhost entries:

Certbot with Apache plugin generate cert site list

Enter the number of each site you'd like to be included in the certificate you are creating, comma separated.

You will now be given the option to make the site entirely HTTPS secure by forcing a redirect to the secure URL:

Certbot with Apache plugin force SSL

Once you make your selection the vhost will be updated accordingly to use the new certificate and to redirect to the HTTPS URL if desired. You can now test this immediately by loading up your site on the https:// domain.

For more information about LetsEncrypt with Apache checkout the official documentation on the LetsEncrypt website: https://letsencrypt.readthedocs.io/en/latest/using.html#apache

RENEWING SSL CERTIFICATES FOR APACHE

To renew certificates at any time, you may run the following command:

sudo certbot renew --apache

This will take you through the manual steps of renewal. LetsEncrypt will only allow renewal when the certificate is within 30 days of expiry. Once renewed the new certificate will be valid for 90 days from the date of renewal.

Renewing the certificate in this manner will not require you to stop and start Apache so that the config is reloaded on a successful renewal allowing visitors to the site to automatically be served the new certificate.

AUTOMATING THE SSL CERTIFICATE RENEWAL FOR APACHE

Finally, the most important step of this process, is to allow the certificate to auto renew, so that you as a server admin or not don't have to log in to the server to renew all your certs.

The renewal is run by cron. You should find a cronfile that was automatically added on installation to /etc/cron.d/certbot. If the file is not there you can create it.

Update the content of the cron file as follows:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root certbot -q renew --apache

This will run the renew process twice daily, exactly as above when you ran it manually. The -q flag is provided to prevent any output being logged.

So there you have it, auto renewing LetsEncrypt certificates running on Apache.

By at No comments:
Subscribe to: Posts (Atom)