Say Web Solutions

Setting up HTTPS (SSL/TLS) with Let's Encrypt and Apache on Ubuntu 14.04

Linux Apache SSL TLS HTTPS Ubuntu Lets Encrypt

Download the 'certbot-auto' Utility

Begin by downloading the certbot utility and optionally move it to a directory in your path for convenience.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

View the 'certbot-auto' Command Line Help Info

certbot-auto -h

certbot-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are:

(default) run Obtain & install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server renew Renew previously obtained certs that are near expiry revoke Revoke a previously obtained certificate register Perform tasks related to registering with the CA rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

--apache Use the Apache plugin for authentication & installation --standalone Run a standalone webserver for authentication --nginx Use the Nginx plugin for authentication & installation --webroot Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

--authenticator standalone --installer apache

More detailed help:

-h, --help [topic] print this message, or detailed help on a topic; the available topics are:

all, automation, paths, security, testing, or any of the subcommands or plugins (certonly, renew, install, register, nginx, apache, standalone, webroot, etc.)

Run the 'certbot-auto' Command with the Apache Plugin Argument

Use the --apache parameter to automate obtaining and installing the certificate, and the -d argument to specify the domain you wish to certify. In my case I ran:

certbot-auto --apache -d blog.whabash.com

This will add an Apache VirtualHost for the specified domain which listens on port 443 (SSL/TLS). The certbot-auto command offers an option to force all requests to HTTPS, although I haven't tried it yet. I've instead been using the following RedirectMatch directive which catches all requests to the HTTP (non-secure) port 80 VirtualHost and redirects them to port 443 for processing by the secure VirtualHost that was created in the previous step.

RedirectMatch permanent ^/(.*) https://blog.whabash.com/$1

Add the 'certbot-auto renew' Command to a Cron Job

Since the certificate is only valid for 90 days, the documentation recommends setting up the cron to run twice a day:

15 1,4  * * * root  certbot-auto renew >> /user/ubuntu/le-renew.log

Helpful Links

Comments