Install free SSL certificate Let’s Encrypt on Debian

To protect communication between clients and your website (server) you need to secure you HTTP connection, by encrypting transmitted data over network. The easy way is to use cryptographic security protocol TLS/SSL.

Let’s Encrypt certificate is free in comparison with Comodo, IdenTrust or Symantec and most popular and trusted of the similar, free authorities.

This article is a continuation of the previous, about configuring linux server, please read it if you haven’t yet.

We’ll configure now HTTPS on our host s1.dock.co.nz. Easiest way to automatically install certificate – using client with ACME protocol support. ACME – Automatic Certificate Management Environment, help us automatically request new certificate from CA (Certificate Authority, in our case – Let’s Encrypt), and configure web server to work with HTTPS immediately.

In our example we use Certbot by EFF.
On official Certbot website, you’ll find setup instructions for each software/system. We’ll deploy for Apache Web Server on Debian 9 (stretch).

Using provided instructions let’s install Certbot

sudo apt install python-certbot-apache

Certbot can obtain and install certificate automatically with command

sudo certbot --apache

But let’s only obtain it, and install manually by running command

sudo certbot --apache certonly

You’ll be asked for email address on which you want to issue your certificate.
Type email and press Enter:

user@s1:~$ sudo certbot --apache certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):info@dock.co.nz

Next, read and accept Let’s Encrypt Terms of Service by typing letter “A”.

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

Now, Certbot will read Apache’s web server configuration files for available hosts and ask for which ones to issue certificates

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: s1.dock.co.nz
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

We have only one domain, so I press Enter to issue for all. If you have couple domains, type a number associated with required domain.

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for s1.dock.co.nz
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/s1.dock.co.nz/fullchain.pem. Your cert will
   expire on 2018-02-16. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to info@dock.co.nz.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

That’s all, certificated issued for our domain s1.dock.co.nz. Don’t forget to read information from output’s Important Notes.
All files located at /etc/letsencrypt/live/s1.dock.co.nz

root@s1:# cd /etc/letsencrypt/live/s1.dock.co.nz/
root@s1:/etc/letsencrypt/live/s1.dock.co.nz# ls
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

Issued certificates last for 90 days, so don’t forget to configure automatic renew by adding job to cron or systemd:

certbot renew

Full Certbot documentation you can find at official website.

Now create VirtualHost to work with HTTPS

From previous article about configuring webserver, we created configuration file for s1.dock.co.nz at sites-available directory:

root@s1:# cat /etc/apache2/sites-available/s1-dock.conf 
<VirtualHost *:80>
    ServerName s1.dock.co.nz
    DocumentRoot "/home/user/dock"

    <Directory /home/user/dock/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/s1-dock-error.log
    CustomLog ${APACHE_LOG_DIR}/s1-dock-access.log combined
</VirtualHost>

We change this configuration to

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName s1.dock.co.nz
        ServerAdmin info@dock.co.nz
        DocumentRoot /home/user/dock

        LogLevel debug
        ErrorLog /home/user/dock/s1_dock_error.log
        CustomLog /home/user/dock/s1_dock_access.log combined

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/letsencrypt/live/s1.dock.co.nz/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/s1.dock.co.nz/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/s1.dock.co.nz/chain.pem

        <Directory /home/user/dock>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>
</VirtualHost>
</IfModule>

IfModule directive is ensures that section is processed only if module enabled (mod_ssl in our case).
VirtualHost is now listen on 443 port instead on 80.
And SSLEngine options are on with parameters and paths to Let’s Encrypt certificate files, created by Certbot.

To enable mod_ssl module on Apache Web Server, please run next command:

sudo a2enmod ssl

Then, restart web server to activate new configuration:

sudo systemctl restart apache2

You can check loaded modules with command apachectl -M

root@s1:/etc/apache2/mods-available# apachectl -M
Loaded Modules:
...
 core_module (static)
 mpm_prefork_module (shared)
 php7_module (shared)
 ssl_module (shared)
 status_module (shared)
...

Open address in browser with https and check if it works

https://s1.dock.co.nz/

Wordking Free SSL certificated

That’s it.
Thanks for reading, if you have any questions or need help, don’t hesitate to ask.

One Response

Leave a Reply