SSL

Installing free of charge SSL certificate from Letsencrypt.org in Apache 2 webserver on Ubuntu 14.04

Submitted by Peter Majmesku on Mon, 08/29/2016 - 20:57

SSL certificates are cost-free nowadays. Letsencrypt.org is providing a service which lets you get SSL certificates that are free and work in the common web browsers. The following commands must be executed on the same machine on which your webserver is running. Because letsencrypt.org must be allowed to access it. Download the certbot from letsencrypt.org and make the binary executable:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Now temporary stop your Apache server, to download the certificates.

sudo service apache2 stop

Now run the certbot program to download the certificates:

./certbot-auto certonly

This program leads you trough a short form process within your terminal. Asking you for the domain you want to secure.

Mind the SSL certificate renewal

The SSL certificate is valid for 3 months. You will get notified about this via the terminal output from the certbot. It looks like this, if you have executed the "./certbot-auto certonly" command at 23.07.2016:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/my-domain.com/fullchain.pem. Your cert will
   expire on 2016-10-21. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

There's an automatic way to accomplish the renewal. You can add this line to your crontab, to automatically re-new the certificates:

30 4 1 * * sudo service apache2 stop && ./certbot-auto renew --standalone && sudo service apache2 start

Enable the SSL certificate on your web server

Enable SSL in your Apache setup:

sudo a2enmod ssl

Now as you have the certificates, you can integrate them in your Apache 2 VHost configuration at /etc/apache2/sites-available/. Change "example.com" to your domain name.
 

 SSLEngine on
   SSLCertificateFile    /etc/letsencrypt/live/example.com/cert.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
   SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem 

Switch the virtual host port from 80 to 443. For this set the following in your Vhost configuration file: 

<VirtualHost *:80>

to

 <VirtualHost *:443>

Small tweak for SEO

Search engines expect that a web page can be accessed by only one address on your website. To redirect all requests from http to https and ensure that only http://your-domain.com will be requested and not http://your-domain.com "and" http://www.your-domain.com, you can setup the redirect within your VHost file. Add this to the top of the configuration file for your virtual host: 

# Redirect all requests to SSL and ensure www. subdomain is re-directed, too.

<VirtualHost *:80>

ServerName your-domain.com

Redirect / https://your-domain.com/

</VirtualHost>

<VirtualHost *:80>

ServerName www.your-domain.com

Redirect / https://your-domain.com/

</VirtualHost>

<VirtualHost *:443>

...

Now restart Apache and happy SSL usage: 

sudo service apache2 restart

A complete Apache2 Vhost config file example:

<VirtualHost *:80>
ServerName example.com
Redirect / https://example.com
</VirtualHost>

<VirtualHost *:80>
ServerName www.example.com
Redirect / https://example.com
</VirtualHost>


<VirtualHost *:443>
ServerName example.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/example.com/web

SSLEngine on
SSLCertificateFile /etc/ssl-cert/live/example.com/cert.pem
SSLCertificateKeyFile /etc/ssl-cert/live/example.com/privkey.pem
SSLCertificateChainFile /etc/ssl-cert/live/example.com/fullchain.pem

<Directory /var/www/example.com/web>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
Tags
Subscribe to SSL