Media Gallery

Debian, Apache and Let's Encrypt

NOTE: Probably a bit outdated by now, but kept for reference.

A free and fully worthy alternative to buying DV CA SSL certificates. Keywords being DV and CA. Check out more about Let's Encrypt by visiting their website. These are my notes about setting it up for one of my domains for the first time.

Installing Let's Encrypt
# nano /etc/apt/sources.list
  ^ deb http://ftp.debian.org/debian jessie-backports main
# apt-get update
# apt-get install python-certbot-apache -t jessie-backports

Setting up SSL for my domain
I dont' want certbot messing with my configuration blindly. I just want the certificates that I can put into the domain configuration files myself in my own way. So I use certonly and webroot.
# certbot certonly --webroot -w /home/user/public_www/my-site-files/ -d my-site.example.com

Certificate files generated
# ls /etc/letsencrypt/live/my-site.example.com/
cert.pem  chain.pem  fullchain.pem  privkey.pem

Configuration of the vhost
SSLCertificateFile /etc/letsencrypt/live/my-site.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my-site.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my-site.example.com/chain.pem

# service apache2 reload

Tested OK. My .NET applications also continued to push data without any complaints to HTTPS. When using webroot like above, on a brand new site without SSL yet, set up a non-SSL vhost first so it can perform the ACME challenge. Afterwards you can forward http to https or just keep the latter.

Test automatic renewal for all domains
# certbot renew --dry-run

Should present you towards the end:
Congratulations, all renewals succeeded. The following certs have been renewed: ...

Simple cron.daily renewal script for all domains
certbot renew --no-self-upgrade --quiet

Deleting a certificate
# certbot delete
	^ Then choose domain to delete for.

DEBUG log location:

Original Post: Jan 28th, '22 15:37 CET.
Updated: Jan 28th, '22 15:41 CET.

Tags: GNU/Linux