[ad_1]
Let’s Encrypt is a certificate authority created by the Internet Security Research Group (ISRG). It provides free SSL certificates via a fully automated process designed to eliminate manual certificate creation, validation, installation, and renewal.
Certificates issued by Let’s Encrypt are valid for 90 days from the issue date and trusted by all major browsers today.
This tutorial shows how to install a free Let’s Encrypt SSL certificate on Debian 10, Buster running Apache as a web server. We’ll also show how to configure Apache to use the SSL certificate and enable HTTP/2.
Prerequisites #
Ensure the following prerequisites are met before proceeding with the guide:
- Logged in as root or user with sudo privileges
. - The domain for which you want to obtain the SSL certificate must point to your public server IP. We’ll use
example.com. - Apache installed
.
Installing Certbot #
We’ll use the certbot tool to obtain and renew the certificates.
Certbot is a fully-featured and easy to use tool that automates the tasks for obtaining and renewing Let’s Encrypt SSL certificates and configuring web servers to use the certificates.
The certbot package is included in the default Debian repositories. Run the following commands to install certbot:
sudo apt updatesudo apt install certbot
Generating Strong Dh (Diffie-Hellman) Group #
Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over an unsecured communication channel.
Run the following command to generate a new 2048 bit DH key:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048If you like, you can change the size up to 4096 bits, but the generation may take more than 30 minutes, depending on the system entropy.
Obtaining a Let’s Encrypt SSL certificate #
To obtain an SSL certificate for the domain, we’re going to use the Webroot plugin that works by creating a temporary file for validating the requested domain in the ${webroot-path}/.well-known/acme-challenge directory. The Let’s Encrypt server makes HTTP requests to the temporary file to validate that the requested domain resolves to the server where certbot runs.
To make it more simple we’re going to map all HTTP requests for .well-known/acme-challenge to a single directory, /var/lib/letsencrypt.
Run the following commands to create the directory and make it writable for the Apache server.
sudo mkdir -p /var/lib/letsencrypt/.well-knownsudo chgrp www-data /var/lib/letsencryptsudo chmod g+s /var/lib/letsencrypt
To avoid duplicating code create the following two configurations snippets:
/etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
/etc/apache2/conf-available/ssl-params.conf
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
The code in the snippet above is using the chippers recommended by Mozilla
, enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and enforces few security‑focused HTTP headers.
Ensure sure both mod_ssl and mod_headers are loaded:
sudo a2enmod sslsudo a2enmod headers
Enable the HTTP/2 module, which will make your sites faster and more robust:
sudo a2enmod http2Enable the SSL configuration files:
sudo a2enconf letsencryptsudo a2enconf ssl-params
Reload the Apache configuration for changes to take effect:
sudo systemctl reload apache2Use the Certbot tool with the webroot plugin to obtain the SSL certificate files :
sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.comIf the SSL certificate is successfully obtained, certbot will print the following message:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-04-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now that you have the certificate files, edit your domain virtual host configuration as follows:
/etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
Protocols h2 http/1.1
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
DocumentRoot /var/www/example.com/public_html
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
# Other Apache Configuration
</VirtualHost>
With the configuration above, we are forcing HTTPS
and redirecting from www to non-www version. Fell free to adjusts the configuration according to your needs.
Reload the Apache service for changes to take effect:
sudo systemctl reload apache2Open your website using https://, and you’ll notice a green lock icon.
If you test your domain using the SSL Labs Server Test
, you’ll get an A+ grade, as shown below:
Auto-renewing Let’s Encrypt SSL certificate #
Let’s Encrypt’s certificates are valid for 90 days. To automatically renew the certificates before they expire, the certbot package creates a cronjob that runs twice a day and will automatically renew any certificate 30 days before its expiration.
Once the certificate is renewed we also have to reload the Apache service. Append --renew-hook "systemctl reload apache2" to the /etc/cron.d/certbot file so it looks like the following:
/etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --renew-hook "systemctl reload apache2"
To test the renewal process, use the certbot --dry-run switch:
sudo certbot renew --dry-runIf there are no errors, it means that the renewal process was successful.
Conclusion #
In this tutorial, we talked about how to use the Let’s Encrypt client certbot on Debian to obtain SSL certificates for your domains. We have also shown you how to configured Apache to use the certificates and set up a cronjob for automatic certificate renewal.
To learn more about the Certbot script, visit the Certbot documentation
.
If you have any questions or feedback, feel free to leave a comment.
[ad_2]
Source link
