Let’s Encrypt and Apache

The Let's encrypt Logo

Before the days of mooey5775, there were the dark days before Let’s Encrypt. To get an SSL certificate, you would have to go through long and convoluted processes, and pay various amounts of money, depending on the service you use.

However, Let’s Encrypt comes in to save the day. Let’s Encrypt is focused on a 100% HTTPS web. They were created by the Internet Security Research Group, and also backed by major players like the EFF and Mozilla. Let’s Encrypt provides free SSL certificates without requiring you to give up all personally identifying information. This makes Let’s Encrypt one of the best, if not the best, way to secure your website.

The Let's encrypt Logo
Let’s Encrypt this logo too!

Early Days

A rudimentary client was released in the first few days of Let’s Encrypt. I used this client to get an SSL certificate for mooey5775, but the renewal process was mostly tedious. In addition, it lacked one of the more valuable services, at least for me: automated installation on an Apache server. Back in the days of mooey5775, I would manually write the server virtual host file to configure SSL.

However, the client for Let’s Encrypt was heavily refined over the past month or two, and now sports an entirely different name: certbot. This pretty much removed most of the disadvantages of the previous client, including:

  • Automatic Apache installation and verification
  • Better renewal
  • Better documentation
  • A new name!

The new certbot is much better than the previous client, from my experience using it with ed.ward.

Installation

This tutorial is intended for Apache on Ubuntu.

As Ubuntu does not have a prepackaged certbot client, you’ll need to fetch it from the certbot-auto script. Basically, this script will autodetect the OS that you’re using and install all dependencies in a virtual environment. Nice. To download it, all you need to do is type this at your terminal:

wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto

Basically, we’re getting certbot-auto off of EFF’s servers, and then reassigning permissions to allow the execution of such a script.

After you’ve downloaded the script, it’s time to install it. Simply run:

./certbot-auto

and it should install all dependencies. Be warned, it might take a while.

Usage

This part is really easy, which is why certbot is really great.

All you need to do is run this command, assuming you’re still in the same directory as certbot is:

./certbot-auto --apache

Now, just follow the prompts, select your website, and give certbot the little information and time it needs. You also might need to type in your password for sudo permissions.

Auto-renew

Let’s Encrypt certificates are only valid for three months, so you need a solid renewal system for this task.

The first thing we need to do is test renewal. We can do this with a dry run of the renew command:

./certbot-auto renew --dry-run

If there are no errors for the domains that you want to renew, you are good to go! If you see a few errors, then it’s probably related to permissions or site verification. Just read the error message, and if you need more help, contact me here.

Now, we’ll want to automate this script. Let’s Encrypt suggests running the renew command twice daily to ensure the timely renewal of your certs. Even though you might think that certs will randomly renew, certbot is intelligent. It actually doesn’t renew a cert unless you’re a certain distance away from the expiry date. Therefore, we can set up a cron job that will run this command. But first, a log file to make sure that the command actually succeeds.

In the directory that you want to log file to be in, type these commands:

touch renew.log
sudo chmod 666 renew.log

Crontabbing!

Basically, this creates a new empty log file that has read-write permissions for everyone. Now, we can create the cron job:

sudo crontab -e will open the editor for the root crontab. You want root privileges because Let’s Encrypt needs some root permissions to make sure your certificates are safe and secure.

Once you’re in the file, add this line:

{MINUTE} {HOUR1},{HOUR2} * * * /path/to/certbot-auto renew --no-self-upgrade --non-interactive >> /path/to/renew.log 2>&1

Replace {MINUTE} with a random minute number as well as {HOUR1} and {HOUR2}. Try to make these times when traffic is low on your site, so there’s less chance of something not working right when the new cert is installed. Basically, the renew script will execute at these times and spit both output and errors to your log file.

Now, type Ctrl-X, y, [Enter] in that order to exit and save the crontab. Your crontab should now execute your renew command, and you’ll keep your certs nice and up to date. If you want extra confirmation that it’s working, just check your log file a day or so later, and you should see some output there.

Hopefully, this was helpful for you. Let me know if anything goes wrong, and… Happy Encrypting!

Leave a Reply

Your email address will not be published. Required fields are marked *