let's encrypt with apache

Setup Let’s Encrypt certificate with Apache

Today you will learn how to put your website on the https protocol, using the Let’s Encrypt solution.

Concerning Let’s Encrypt

From their website:

“Let’s Encrypt is a free, automated and open Certificate Authority (CA) operated for the benefit of the public. It is a service provided by ISRG.
We give people the digital certificates they need to enable HTTPS (SSL/TLS) for websites, free of charge, in the most intuitive way possible. We do this because we want to create a more secure and privacy-friendly web.”

The influence of Let’s Encrypt continues to grow, here is the proof with this graph:

Situation

So you will see how to deploy Let’s Encrypt on your Apache server, but with an additional tool.
You are going to use the Certbot software, it offers various plugins and wizards, including for Apache, which allow you to install certificates automatically, to modify Apache configurations, etc… All this automatically.

Well we’re not going to let it do everything to prevent it from restarting the web server without our permission, we’ll just use it to generate the certificate.
By doing it manually, at least, in case of a problem, we’ll know where to look in case of a problem.

For this tutorial I have a classic apache 2.4 configuration with a Debian 8
(I’ll soon try the same configuration on a Deb10 and I’ll tell you if it works!)

Prérequis

You’ll start by checking the SSL and rewrite mods, to see if they’re active, run that:

apachectl -M

Rewrite_module and ssl_module must be present.
If not, run according to :

root@mymachine:~# a2enmod ssl 
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart
  
root@mymachine:~# a2enmod rewrite 
Enabling module rewrite.
To activate the new configuration, you need to run:
  service apache2 restart
  
root@mymachine:~# service apache2 restart 
[ ok ] Restarting web server: apache2 ... waiting .

What are we gonna do?

There will be 6 big steps:

  • Installing Certbot
  • Create Let’s Encrypt certificate
  • Change the Apache configuration and fill in the certificates in it
  • Check the configuration as well as the quality of the SSL settings.
  • Know how to renew your certificate

Installing Certbot

To start, you download Certbot and make it executable (don’t do this just anywhere in your filesystem, choose carefully where you’re going to store it):

wget https://dl.eff.org/certbot-auto

chmod a+x certbot-auto

Run it a first time “blank” so that it downloads its dependencies and installs itself.

./certbot-auto

When he has finished installing all the things he needs, he will ask you if you want to cancel the installation, press “c” to cancel it. You’ll resume later.

The main files are installed. Everything is in /etc/letsencrypt.

Creating Let’s Encrypt certificate

Run the following command, taking care to replace the values with the correct information:

./certbot-auto certonly --webroot --webroot-path /srv/www/domain.tld/ --domain domain.tld --domain www.domain.tld --email mon@email.com

The informations to replace:

–webroot-path: the path of your Apache “DocumentRoot”. You can look in your VirtualHost configuration file (by default /etc/apache2/sites-available/000-default.conf), it will be indicated.
–domain: the domain name to certify, if two domains, put it twice.
–email: e-mail that will be used to notify the administrator to renew the certificate

You now got your certificates

If you are looking for your certificates, they can be found in the folders: /etc/letsencrypt/live/yourdomain/
Normally you should have four files:

  • Privkey.pem: The private key of your certificate. Must remain CONFIDENTIAL!
  • cert.pem
  • chain.pem
  • privkey.pem
  • And the README to give you some info 🙂

Integrate Let’s Encrypt certificate to Apache

Now that you have the certificate, all you have to do is integrate it into the Apache Virtualhost and serve https content.
First of all you have to edit the vhost in order to declare all the necessary settings.

Modifying VirtualHosts

The VirtualHost before the edit:

<VirtualHost *:80>

    ServerName domain.tld
    ServerAlias www.domain.tld
    DocumentRoot /path/to/files

    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/domain.tld-error.log
    CustomLog ${APACHE_LOG_DIR}/domain.tld-access.log combined

</VirtualHost>

Now you add another Virtualhost with port 443 (which is https) and add some security features. Then you redirect from port 80 to port 443 (in case someone has a http link). That’s what it looks like:

<VirtualHost *:80>

    ServerName domain.tld
    ServerAlias www.domain.tld

    RewriteEngine on
    RewriteCond %{HTTPS} !on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

</VirtualHost>

<VirtualHost *:443>

    ServerName domain.tld
    ServerAlias www.domain.tld

    DocumentRoot /path/to/files/

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/chain.pem
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCompression off
    SSLOptions +StrictRequire
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 
    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/www.domain.tld-error.log
    CustomLog ${APACHE_LOG_DIR}/www.domain.tld-access.log combined

</VirtualHost>

Don’t forget to change the paths that redirect to the certificate files you just created on the lines:

  • SSLCertificateFile
  • SSLCertificateKeyFile
  • SSLCertificateChainFile
    As well as all the other lines that contain “domain.tld

Verifying VirtualHost configuration :

Well now we’re going to test your config and see if you didn’t do anything stupid 😉
Run this command:

apachectl configtest

If all goes well, you should with “Synthax OK” in return, if not check what you’ve done previously.
If everything is ok here, you should be able to restart the service (check that all the lights are green here because if the config is bad, your server could be down).

service apache2 restart

Verifying security

Well if you arrived here, your site is working again and in https, bravo you managed well!
Come on, let’s see if your site holds the road with your new certificate, for that you’ll use the SSLLABS.com site, it’s a site that will check your certificates: https://www.ssllabs.com/ssltest/

With this tutorial, you should get an A grade (you could get “A+” but that would require some extra security which is not necessarily useful):

let's encrypt with apache

After that, it’s up to you, if you really want your A+, you might have to make more compromises behind it, it’s up to you!

Renew certificate

Well, if you’re in there, you must be very happy! Finally I have my https!
You should know that Let’s Encrypt certificates are valid for 3 months. So it is necessary to renew them, for that you can re-use Certbot which has an order for the renewal:

./certbot-auto renew

You can then have fun doing it automatically by entering the full path of Certbot and the command in the cron of the machine.

END

Well, I hope everything went well for you, if you have any questions or problems, don’t hesitate to talk about it in the comments (Yes, I read them from time to time) I’ll try to help you as much as I can.
Kiss 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *