Debian, Apache and Let's EncryptBy Dag, on December 30th, 2016
A cheap alternative to buying already cheap DV CA SSL certificates. Keywords being DV and CA. Check out more about Let's Encrypt by visiting their website. These are my notes about setting it up for one of my domains for the first time.
Installing Let's Encrypt
# nano /etc/apt/sources.list ^ deb http://ftp.debian.org/debian jessie-backports main # apt-get update # apt-get install python-certbot-apache -t jessie-backports
Setting up SSL for my domain
I dont' want certbot messing with my configuration blindly. I just want the certificates that I can put into the domain configuration files myself in my own way. So I use
# certbot certonly --webroot -w /home/user/public_www/my-site-files/ -d my-site.example.com
Certificate files generated
# ls /etc/letsencrypt/live/my-site.example.com/ cert.pem chain.pem fullchain.pem privkey.pem
Configuration of the vhost
SSLCertificateFile /etc/letsencrypt/live/my-site.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/my-site.example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/my-site.example.com/chain.pem
# service apache2 reload
Tested OK. My .NET applications also continued to push data without any complaints to HTTPS. When using webroot like above, on a brand new site without SSL yet, set up a non-SSL vhost first so it can perform the ACME challenge. Afterwards you can forward http to https or just keep the latter.
Test automatic renewal for all domains
# certbot renew --dry-run Should present you towards the end: Congratulations, all renewals succeeded. The following certs have been renewed: ...
Simple cron.daily renewal script for all domains
#!/bin/bash certbot renew --no-self-upgrade --quiet
DEBUG log location: