Setting up HTTPS (SSL/TLS) with Let's Encrypt and Apache on Ubuntu 14.04


 AMP

Download the 'certbot-auto' Utility

Begin by downloading the certbot utility and optionally move it to a directory in your path for convenience.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

View the 'certbot-auto' Command Line Help Info

certbot-auto -h

  certbot-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  renew                Renew previously obtained certs that are near expiry
  revoke               Revoke a previously obtained certificate
  register             Perform tasks related to registering with the CA
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

  --authenticator standalone --installer apache

More detailed help:

  -h, --help [topic]    print this message, or detailed help on a topic;
                        the available topics are:

   all, automation, paths, security, testing, or any of the subcommands or
   plugins (certonly, renew, install, register, nginx, apache, standalone,
   webroot, etc.)

Run the 'certbot-auto' Command with the Apache Plugin Argument

Use the --apache parameter to automate obtaining and installing the certificate, and the -d argument to specify the domain you wish to certify. In my case I ran:

certbot-auto --apache -d blog.whabash.com

This will add an Apache VirtualHost for the specified domain which listens on port 443 (SSL/TLS). The certbot-auto command offers an option to force all requests to HTTPS, although I haven't tried it yet. I've instead been using the following RedirectMatch directive which catches all requests to the HTTP (non-secure) port 80 VirtualHost and redirects them to port 443 for processing by the secure VirtualHost that was created in the previous step.

RedirectMatch permanent ^/(.*) https://blog.whabash.com/$1

Add the 'certbot-auto renew' Command to a Cron Job

Since the certificate is only valid for 90 days, the documentation recommends setting up the cron to run twice a day:

15 1,4  * * * root  certbot-auto renew >> /user/ubuntu/le-renew.log

Helpful Links



Comments:


Gravatar of Kyle Jones

Knowledge Base is a repository for various notes, guides, and thoughts on a wide range of IT related topics. Read more...