Menu Close
0 Comments

LetsEncrypt SSL Ubuntu 18.04 LTS

I pieced the following together from various sites to get Lets Encrypt to work on Ubuntu 18.04 LTS

 

1) Set up a way to exchange keys

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Just be warned this takes a loooong time to run

 

2) Use the Webroot plugin to obtain an SSL certificate that works by creating a temporary file for validating the requested domain in the ${webroot-path}/.well-known/acme-challenge directory. The Let’s Encrypt server makes HTTP requests to the temporary file to validate that the requested domain resolves to the server where certbot (more on certbot later) runs.

 To make it more simple we’re going to map all HTTP requests for .well-known/acme-challenge to a single              directory, /var/lib/letsencrypt.

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencryptsudo
sudo chmod g+s /var/lib/letsencrypt

 

3) Create some snippets config files  for letsencrypt. 

  • make sure mod_ssl and mod_headers are enabled

sudo a2enmod ssl
sudo a2enmod headers

  • create the snippets

sudo a2enconf letsencrypt
sudo a2enconf ssl-params

  • this will make

          /etc/apache2/conf-available/letsencrypt.conf and /etc/apache2/conf-available/ssl-params.conf

they will look like this….

 
 
/etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
 
/etc/apache2/conf-available/ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

 
 
4) Enable the HTTP/2 module which will make your sites faster and more robust:
 
sudo a2enmod http2
 
 
5) Reload Apache
sudo systemctl reload apache2
 
 
 
 
6) Certbot is a fully featured and easy to use tool that can automate the tasks for obtaining and renewing Let’s Encrypt SSL certificates and configuring web servers. It is included with Ubuntu 16 and higher.
 
sudo certbot certonly –agree-tos –email admin@example.com –webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
 If the SSL certificate is successfully obtained you will see this….
 
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-10-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 
 
7) Now that we have the files, we need to edit a conf for a site for it to use. You can do this by either making a conf file for your site domain specifically OR using the default conf file. I chose to use the default conf file. The conf files are located in /etc/apache2/sites-available , again I used the default-ssl.conf but you can make a new one for your specific domain . Edit this file, or your ssl conf file, to have the following between the virtualhost section. Replace all example.com stuff with your real domain.
 
<VirtualHost *:443>
ServerName example.com

Protocols h2 http:/1.1

 
DocumentRoot /var/www/example.com/
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

</VirtualHost>

 
 
  • If you do use the defalult-ssl.conf there are two SSL lines you have to rem out
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 
 
8) Once the conf file is ready, it has to be enabled. Run the following with the name of the conf file you created. In my case default-ssl.conf
sudo a2ensite dafalult-ssl.conf
this makes a pointer in /etc/apache2/sites-enabled/ making the site live
 
9) Restart  Apache to bring it all together
sudo systemctl reload apache2
 
 
At this point you should be able to open your browser and go to your site on HTTPS:// . You should notice a nice lock icon with no warnings.
You can also run a verification on your site to test the SSL cert by going here  https://www.ssllabs.com/ssltest/ . If all goes well you should get an A+ rating..
 
 

Auto-renewing your Let’s Encrypt SSL Cert

 Let’s Encrypt’s certificates are valid for 90 days. To automatically renew the certificates before they expire, the certbot package creates a cronjob which runs twice a day and will automatically renew any certificate 30 days before its expiration. The issue is that once the certificate is renewed we also have to reload the Apache service.  To fix this, append --renew-hook "systemctl reload apache2" to /etc/cron.d/certbot file.  It should look like this

/etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"

 To test this you can use the –dry-run switch
sudo certbot renew –dry-run
 

Leave a Reply

Your email address will not be published. Required fields are marked *