LetsEncrypt

The information herein was stolen from the following website: http://www.tecmint.com/install-free-lets-encrypt-ssl-certificate-for-apache-on-debian-and-ubuntu/


I have changed some of the information as relevant to my situation.

Step 1: Install Apache and Enable SSL Module

1. If you don’t have Apache webserver already installed on your machine issue the following command to install apache daemon.

$ sudo apt-get install apache2

2. SSL module activation for Apache webserver on Ubuntu or Debian it’s quite straightforward.

$ sudo a2enmod ssl
$ sudo service apache2 reload
or
$ sudo systemctl restart apache2.service

3. We also have to create a config file for ssl. Copy the existing config file for the site in question, rename it something like yourdomain-ssl.conf and edit the following lines:

#NameVirtualHost *:443

<VirtualHost *:443>


Now issue the command:

$ sudo a2ensite yourdomain-ssl.conf

$ sudo service apache2 reload


Step 2: Install Free Let’s Encrypt Client

1. In order to install Let’s Encrypt software on your server you need to have git package installed on your system. Issue the following command to install git software:

$ sudo apt-get -y install git

2. Next, choose a directory from your system hierarchy where you want to clone Let’s Encrypt git repository. In this tutorial we will use /opt/ directory as installation path for Let’s Encrypt.

$ cd /opt/LEncrypt
$ sudo git clone https://github.com/letsencrypt/letsencrypt


Step 3: Generate a SSL Certificate for Apache

1. The process of obtaining a SSL Certificate for Apache is automated thanks to Apache plugin. Generate the certificate by issuing the following command against your domain name. Provide your domain name as a parameter to the -d flag.

$ cd /opt/LEncrypt/letsencrypt
$ sudo ./letsencrypt-auto --apache -d your_domain.tld

For instance, if you need the certificate to operate on multiple domains or subdomains add them all using the -d flag for each extra valid DNS records after the base domain name.

$ sudo ./letsencrypt-auto --apache -d your_domain.tld  -d www. your_domain.tld 

2. Agree the license, enter an email address for recovery and choose whether clients can browse your domain using both HTTP protocols (secure and insecure) or redirect all non-secure requests to HTTPS.


3. After the installation process finishes successfully a congratulation message is displayed on your console informing you about the expiration date and how you can test the configuration as illustrated on the below screenshots.

Now you should be able to find your certificate files at /etc/letsencrypt/live directory with a simple directory listing.

$ sudo ls /etc/letsencrypt/live

4. Go back to the ssl config file and add the following lines:


</Directory>

SSLEngine on

SSLCertificateFile /etc/letsencrypt/live/www.yourdomain.com/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/www.yourdomain.com/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem


5. Again do:

$ sudo service apache2 reload


6. Finally, to verify the status of your SSL Certificate visit the following link. Replace the domain name accordingly.

https://www.ssllabs.com/ssltest/analyze.html?d=your_domain.tld&latest

Also, visitors can now access your domain name using HTTPS protocol without any error appearing in their web browsers.


Step 4: Auto Renew Lets Encrypt Certificates

1. By default, certificates issued by Let’s Encrypt authority are valid for 90 days. In order to renew the certificate before the expiration date you must manually run the client again using the exact flags and parameters as earlier.

$ sudo ./letsencrypt-auto --apache -d your_domain.tld

Or in case of multiple subdomains:

$ sudo ./letsencrypt-auto --apache -d your_domain.tld  -d www. your_domain.tld

2. The certificate renewal process can be automated to run in less than 30 days before the expiration date by using Linux schedule cron daemon.

$ sudo crontab -e

Add the following command at the end of the crontab file using one line only:

0 1 1 */2 * cd /usr/local/letsencrypt && ./letsencrypt-auto certonly --apache --renew-by-default --apache -d domain.tld >> /var/log/domain.tld-renew.log 2>&1

3. Details about your renewal domain configuration file for Let’s Encrypt software can be found in/etc/letsencrypt/renewal/ directory.

$ cat /etc/letsencrypt/renewal/caeszar.tk.conf

You should also check the file /etc/letsencrypt/options-ssl-apache.conf to view the newly SSL configuration file for Apache webserver.

4. Also, Let’s encrypt apache plugin modifies some files in your webserver configuration. In order to check what files had been modified, list the content of /etc/apache2/sites-enabled directory.

# ls /etc/apache2/sites-enabled/
# sudo cat /etc/apache2/sites-enabled/000-default-le-ssl.conf


Step 5: HTTP to HTTPS redirect

1. Add the following line to the non ssl config file:

ServerAlias yourdomain.com

Redirect permanent / https://www.yourdomain.com