Let’s Encrypt Web Server Agnostic Install

Versions and Server Environment

This tutorial was tested on Apache 2.4.7 running on Ubuntu 14.04, Apache 2.4.9 on Ubuntu 16.04 (Xenial), and NGINX 1.14 running on Ubuntu 18.04 (Bionic). Instructions on deploying on Apache >= 2.4.8 are included below

Let’s Encrypt is a command line python application (a client) capable of generating, validating, renewing, and revoking TLS certificates. Full documentation is available on ReadTheDocs.

Update and Cross-References

This tutorial is a much simpler alternative to our post on Creating SSL Certs for Multi-Domain V-Hosts

IF this is your first time using Let’s Encrypt on your server, install the PPA (Personal Package Archive) like so:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot -y

If you have a heavily customized virtual host file and/or your virtual host file is not located in the default /var/www/ you are better off generating the certificate via the webroot plugin, instead of the Apache plugin.

Here’s how to use the webroot plugin:

$ sudo certbot certonly --webroot -w /path_to/web_directory/example.com/public/ -d example.com -d www.example.com --agree-tos --email email@your_email_provider.com
webroot (adds files to webroot directories in order to prove control of domains and obtain certs)
Let’s Encrypt Readme

The webroot plugin works by creating a directory called .well-known/acme-challenge in your site’s webroot. The letsencrypt client will then communicate with https://acme-v01.api.letsencrypt.org/ to validate your certificate.

After running webroot the following should appear once the cert is installed:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-05-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
  # SSL Directives for Apache Versions <= 2.4.8
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

SSL Directives for Apache Versions >= 2.4.8

If you’re using a version of Apache greater than 2.4.8 you will need to use the below configuration settings in your virtual host file:

  # SSL Directives for Apache Versions >= 2.4.8
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

Note that SSLCertificateChainFile has be removed and SSLCertificateFile now points to fullchain.pem

Go to SSL Labs to make sure your cert is properly configured. You should aim for nothing less than an A+. See our tutorial on Securing SSL Against Common Exploits on how to accomplish this.

Since Let’s Encrypt certs expire every 90 days, the certbot repo includes a built-in cron job that handles auto renewals.

Test certificate renewal with a dry-run:

sudo certbot renew --dry-run

View renewal config file:

sudo nano /etc/certbot/renewal/example.conf

Try to renew manually:

sudo certbot renew
sudo certbot delete  #choose the cert to delete from list.  Removes files from live, archive and renewal directories.
or
sudo certbot delete --cert-name example.com

Once your cert is installed you can configure other parameters in your apache config file. It’s located at /etc/apache2/conf-enabled/httpd.conf.

You may want to use Mozilla’s SSL Configuration Generator to make sure you have the most secure settings. Important: Be sure to set your current version of Apache before using.

Afterwards, head over to Qualys’ SSL tester. Make sure your configuration gives you nothing less than an A+


References

  1. Let’s Encrypt on Ubuntu 16.04 LTS
  2. How To Secure Apache with Let’s Encrypt on Ubuntu 16.04
  3. Delete Cert (Let’s Encrypt Forum Comment)