Let’s Encrypt is a certificate authority created by the Internet Security Research Group (ISRG). It offers free SSL certificates through a fully automated process designed to eliminate manual certificate, validation, installation and license renewal. Certificates issued by Let’s Encrypt are valid for 90 days from the date of issue and are trusted by all major browsers today.
prerequisites
Ensure the following prerequisites are met before proceeding:
- You are logged in as root or a user with sudo privileges.
- The domain you want to obtain an SSL license for must point to your public server IP . We will use example.com.
- Apache is installed.
Install Certbot
We will use Certbot to obtain the certificate. It is a command line tool that handles the tasks related to obtaining and renewing Let’s Encrypt SSL certificates. The certbot package is included in the default Ubuntu repositories. Update the package list and install certbot using the following commands:
sudo apt update
sudo apt install certbot
Generate the Strong Dh (Diffie-Hellma) group
Diffie-Hellman (DH) key exchange is a method for securely exchanging cryptographic keys over an insecure communication channel. To enhance security, create a new set of 2048-bit DH parameters:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
You can change the size up to 4096 bits, but depending on the entropy of the system, it may take more than 30 minutes to generate.
Obtaining a Let’s Encrypt SSL license
To obtain an SSL certificate for the domain, we want to use the Webroot plugin, which creates a temporary file to verify the requested domain in the directory. ${webroot-path}/.well-known/acme-challenge
Let’s Encrypt server to validate the HTTP request to the temporary file to validate the requested domain to the server where Certbot is running.
Run the following instructions to create the directory and write it to the Apache server.
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
To avoid copying code and save more settings, create the following two configuration pieces:
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/" <Directory "/var/lib/letsencrypt/"> AllowOverride None Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 :ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache “shmcb:logs/ssl_stapling(32768)”
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Header always set Strict-Transport-Security "max-age=63072000"
The above snippet enables OCSP Stapling, HTTP Strict Transport Security (HSTS), and enforces several security-oriented HTTP headers using Mozilla-recommended chips.
Before enabling the configuration files, ensure that both mod_ssl and mod_headers are enabled by issuing:
sudo a2enmod ssl
sudo a2enmod headers
Next, enable the SSL configuration files by running the following commands:
sudo a2enconf letsencrypt
sudo a2enconf ssl-params
Enable the HTTP/2 module, which makes your sites faster and more powerful:
sudo a2enmod http2
Download the Apache configuration to apply the changes:
sudo systemctl reload apache2
Now we can run the Certbot tool with the webroot plugin and get the SSL certificate files:
sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
If the SSL certificate is successfully obtained, certbot prints the following message:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2020-10-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now that you have the certificate files, edit your domain virtual host configuration as follows:
<VirtualHost *:80> ServerName mail.digital.mk
Redirect permanent / https://mail.digital.mk/ </VirtualHost>
<VirtualHost *:443> ServerName mail.digital.mk
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.mail.digital.mk'"> Redirect permanent / https://mail.digital.mk/ </If>
DocumentRoot /var/www/mail.digital.mk/public_html
ErrorLog ${APACHE_LOG_DIR}/mail.digital.mk-error.log
CustomLog ${APACHE_LOG_DIR}/mail.digital.mk-access.log combined
SSLEngine On SSLCertificateFile /etc/letsencrypt/live/mail.digital.mk/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mail.digital.mk/privkey.pem
# Other Apache Configuration
</VirtualHost>
With the above configuration, we force HTTPS and redirect from www to non-www version. Adjust easily to adjust the settings to suit your needs.
To apply the changes, reload the Apache service:
sudo systemctl reload apache2
You can now open your website using https:// and you will notice a green lock icon.
If you test your domain using SSL Labs Server Test, you will get an A+ grade as shown below:
Allow encrypted certificates to be valid for 90 days. To automatically renew certificates before they expire, the certbot package creates a cronjob that runs twice a day and automatically renews each certificate 30 days before they expire.
After renewing the certificate, we have to download the Apache service. Add the –ren-hook “systemctl reload apache2” attachment to the /etc/cron.d/certbot file so that it looks like this:
۰ */۱۲ * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"
To test the renewal process, you can use the certbot –dry run switch
sudo certbot renew --dry-run
If there is no error, it means that the renewal process was successful.