Let’s Encrypt is a Certificate Authority (CA) that issues free SSL certifications. I have used these certificates on web servers, cloud functions, load balancers, and many more.
In this article I will show how to obtain an SSL certificate from Let’s Encrypt for Apache running on Debian 9 running on a Google Compute Engine VM instance.
This article assumes that you have already setup HTTPS on your Apache web server and that you have enabled both HTTP and HTTPS firewall rules.
Step 1 – Update the Debian Software Repository
|
1 |
vi /etc/apt/sources.list |
Append this line to the bottom of the file:
|
1 |
deb http://ftp.debian.org/debian stretch-backports main |
Update your packages list:
|
1 |
sudo apt update |
Step 2 – Install Let’s Encrypt Certbot Agent
|
1 |
sudo apt install python-certbot-apache -t stretch-backports |
Step 3 – Verify Apache SSL Configuration
Verify that your ssl configuration file has the correct ServerName for your web site domain:
|
1 2 |
ServerName example.com ServerAlias www.example.com |
Verify your Apache server configuration files:
|
1 |
sudo apache2ctl configtest |
Reload the Apache configuration:
|
1 |
sudo systemctl reload apache2 |
Example ssl.conf file:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
LoadModule ssl_module modules/mod_ssl.so Listen 443 <VirtualHost *:443> ServerName example.com ServerAlias www.example.com SSLEngine on SSLCertificateFile "/certs/server.crt" SSLCertificateKeyFile "/certs/server.key" SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLSessionTickets Off </VirtualHost> |
Note: The above example has a self-signed certificate for testing SSL before requesting a real certificate.
Step 4 – Obtain an SSL Certificate
Run the follow command. Change to use your real domain names. Usually you will want both the naked domain (example.com) and the subdomain (www.example.com) in your SSL certificate.
|
1 |
sudo certbot --apache -d example.com -d www.example.com |
Provided that you have your DNS server setup correctly pointing to this server for both example.com and www.example.com, Certbot will issue, download and install an SSL certificate.
Step 5 – Setup Auto Renewal of Certificate
Let’s Encrypt SSL certificates are valid for 90 days. The Certbot package supports automatically renewing certificates for us. The above Certbot command automatically setup cron for us.
Run this command to verify auto renewal:
|
1 |
sudo certbot renew --dry-run |
This is an example cron script that is automatically setup for SSL certificate renewal.
|
1 2 3 4 5 6 7 8 9 10 11 |
# /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # # Eventually, this will be an opportunity to validate certificates # haven't been revoked, etc. Renewal will only occur if expiration # is within 30 days. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew |
Conclusion
Let’s Encrypt and their easy to use tool Certbot make issuing and installing SSL certificates very easy. Certbot sets the system up to automatically renew the certificate. The best feature of all is that these certificates are free and supported by all major browsers and third party software.
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
Leave a Reply