For me being SSL secured has always been the benchmark as having a bonafide website. That little green padlock next to your websites URL doesn't really mean much for a blog, but I always wanted one. At the start of last year I started thing about trying to get one.
Ever being a skinflint I wanted to pay nothing for it, but logic overcame this thinking as all the free ones either had massive catches that you had to manually renew them every thirty days or they were so free that browsers just didn't rattify them as being legit.
I'd decided at this point to drop the princely sum of $15 on a three year Comodo certificate from these guys. There was a possible stitch up of evorbadent fees come renewal time but my limited research showed up that like car insurance you just go somewhere else to pick up a bargain price again.
Roll on one year and I still hadn't got round to doing it but in my quest to re-find where I'd intended to buy when I came across LetsEncrypt.org, free, auto-renewing and recognised by all the major browers - cool!
So I'll crack on with how to get it on your machine in not time at all....
So before we start, check the version of the operating system you are running as the install instructions do vary:
cat /etc/os-release
My RaspberryPi Model B is running wheezy so the install instructions from the Certbot wesite gives this this (check the rest of the page in the link for instructions for your OS if different):
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
There are two ways for you to prove ownership of the website:
I did try the former byrunning the command
./certbot-auto
But for some reason I got an error back that there was already a server running on port 443 - fairly obvious really, and I would have thought that it could automatically stop the apache server for a moment to enable it to complete seeing as it'd have to in the future to renew your licences. Having read back the instruction in writing this post perhaps I should have added a --apache
switch, but too late now...
As I said, the other method requires use of an available folder to serve up some files, as my website runs some pretty comprehensive Rewrites chances of it working were slim so after a quick google showed up this set-up in Apache's generic.conf
- should be handy for me to be able to quickly get certificates to my other hosted sites later if all goes well. Here is the code you'll need to add for a multisite webroot. To add it, fire up the config with:
sudo nano /etc/apache2/conf.d/generic.conf
and add this code:
Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/ <Directory "/var/www/html/.well-known/acme-challenge/"> Options None AllowOverride None ForceType text/plain RedirectMatch 404 "^(?!/\\.well-known/acme-challenge/[\\w-]{43}$)" </Directory>
To save and exit ctrl+o, enter then ctrl+x. Make sure to change the path to wherever your website is served from in then above then you'll have to reload to apache config at this point to go ahead and and run:
sudo service apache reload
then we can get on with running Certbot and following the instructions:
./certbot-auto certonly
all was reported back as having successfully completed after a short time so good to go.
This is the bit of the process that took the longest for me - I'll admit most of it was user error! I have been runnig a server on port 443 with a snakeoil certificate for my admin login portal for a while and it has to be said the the default apache host script for it is rather lengthly so it took a bit of head scratching before I realised that I was still getting 'get me out of here' messages from my browser was that I hadn't removed all of the code from my previous config.
To add it to apache's default config, :
sudo nano /etc/apache2/sites-available/default-ssl
update with the locations of your certificates:
SSLEngine on SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
reload apache's config:
sudo service apache reload
And head over to your site to see if it working. If it is not working at this point then check your site at this handy website for diagnostics on your auth status:
https://www.digicert.com/help/
Add cron job to auto renew
crontab -e
then add this
# Renew letsencrypt certificate 31 3 * * * /home/pi/bin/certbot/certbot-auto renew --quiet --no-self-upgrade --post-hook "sudo service apache2 reload"
then we are all done, I've still got a couple of months to wait to see of it actually workks, but stay posted and I'll let you know.
I was actually so pleased with the results that I went straight ahead and added my other domain philfish.co.uk to the certificate as well, I can report that the multiple webroot worked a charm and the whole process was finished in a couple of minutes just with the --expand
switch with this bit of code.