Quick Start: Let's Encrypt

Let's Encrypt, it couldn't be simpler.

Installing certbot, it couldn't be simpler:

  •  Go to the certbot site to obtain your software.
    In this recipe we will be using Apache on Ubuntu.

$ sudo su
# apt-get update
# apt-get install software-properties-common
# add-apt-repository universe
# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt-get install certbot python-certbot-apache

Create a test site:

# cd /etc/apache2/sites-available
# cat > me.ensite.test.conf # your site name here
<VirtualHost *:80>
    ServerName test.ensite.me
    DocumentRoot /var/www/me.ensite.test

    <Directory "/var/www/
me.ensite.test">
        allow from all
        Options None
        Require all granted
    </Directory>

</VirtualHost>
^d
# mkdir -p
/var/www/me.ensite.test
# cd ../sites-enabled
# ln -s ../sites-available/me.ensite.test.conf
# systemctl restart apache2.service

Perform any DNS resolution updates required. Check that the site is up and working.

Run certbot against that test site:

# certbot --apache -d test.ensite.me

Certbot will go through a  number of stages, requiring prompts to response at various stages:

Plugins selected: Authenticator apache, Installer apache
[...]
Starting new HTTPS connection (1): supporters.eff.org
[...]
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for test.ensite.me
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/me.ensite.test-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/me.ensite.test-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/me.ensite.test-le-ssl.conf

Enabling redirection will update the site configuration file and add a new site configuration file for the site listening on port 443.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/me.ensite.test.conf to ssl vhost in /etc/apache2/sites-available/me.ensite.test-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://test.ensite.me

As this is the first run of certbot...

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/test.ensite.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/test.ensite.me/privkey.pem
   Your cert will expire on 2019-04-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Check the Apache site configuration:

The certbot script should have created a new site configuration file in /etc/apache2/sites-available listening on port 443, and;
updated the existing configuration file listening on port 80, thus:

# ls me.ensite.test*
me.ensite.test.conf  me.ensite.test-le-ssl.conf

<VirtualHost *:80>
    ServerName test.ensite.me
    DocumentRoot /var/www/
me.ensite.test

    <Directory "/var/www/
me.ensite.test">
        allow from all       
        Options None
        Require all granted
    </Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} = test.ensite.me
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
me.ensite.test.conf (END)

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName test.ensite.me
    DocumentRoot /var/www/me.ensite.test

    <Directory "/var/www/me.ensite.test">
        allow from all
        Options None
        Require all granted
    </Directory>

SSLCertificateFile /etc/letsencrypt/live/test.ensite.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/test.ensite.me/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
me.ensite.test-le-ssl.conf (END)

Restart Apache:

# systemctl restart apache2.service

viola!

What its done:

Let's encrypt has

  • duplicated the exisiting apache configuration for the site;
  • listening on port 443
  • wrapped it in the new SSL certificate; and
  • added some rewrite rules to the bottom of the original configuration to redirect port 80 to port 443

To that end any existing site configuration within the site.conf file will need to be reviewed.

For example:

Plone and apache reverse proxy rewrite rules:

A typical apache rewrite rule to support Plone may look like:

<VirtualHost *:80>
    ServerName test.ensite.me

    ProxyPreserveHost on
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    RewriteEngine on
    RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/%{HTTP_HOST}:80/test/VirtualHostRoot/$1 [P,L]

</VirtualHost>

Certbot will apend its rewrite lines to the site.conf file and create a new site-le-ssl.conf listening on port 443 thus:

<VirtualHost *:80>
    ServerName test.ensite.me

    ProxyPreserveHost on
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    RewriteEngine on
    RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/%{HTTP_HOST}:80/test/VirtualHostRoot/$1 [P,L]

RewriteCond %{SERVER_NAME} =test.ensite.me
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

and thus:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName test.ensite.me

    ProxyPreserveHost on
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    RewriteEngine on
    RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/%{HTTP_HOST}:80/test/VirtualHostRoot/$1 [P,L]

SSLCertificateFile /etc/letsencrypt/live/test.ensite.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/test.ensite.me/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

This shamozzel will need to be tidied up, to get your Plone configuration working again. Firstly the site.conf file remove the plone rewrite rule:

<VirtualHost *:80>
    ServerName test.ensite.me

    ProxyPreserveHost on
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =test.ensite.me
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Secondly the site-le-ssl.conf file update the plone rewrite rule for HTTPS on port 443:

 

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName test.ensite.me

    ProxyPreserveHost on
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    RewriteEngine on
    RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/%{HTTP_HOST}:443/test/VirtualHostRoot/$1 [P,L]

SSLCertificateFile /etc/letsencrypt/live/test.ensite.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/test.ensite.me/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

  • Done!

 

Adding a domain to an existing certificate:

  • Create the new vhost:

$ sudo su
# cd /etc/apache2/sites-available
# cp me.ensite.test.conf me.ensite.test1.conf
# cp me.ensite.test-le-ssl.conf me.ensite.test1-le-ssl.conf

  • update the two .conf files with the correct ServerName field
    ie.

<VirtualHost *:80>
    ServerName test1.ensite.me

  • Create the links in sites-enabled, and restart apache
  • Check that the basic site configuration is correct
    You should receive a certificate error as the site and certificate don't match
  • Update the certificate, making sure you include all relevant domains thus

# certbot --apache --expand -d test.ensite.me,test1.ensite.me

  • Done!

 

Ingrediants:

  • Ubuntu16.04 Server
  • Apache
  • Certbot

Optionally:

  • Plone

To Do:

  • Wordpress
  • Drupal

References:

Let's Encrypt
https://letsencrypt.org/
Certbot
https://certbot.eff.org/