Blog


Free LetsEncrypt secure SSL server certificate install tutorial for Raspberry Pi

For me being SSL secured has always been the benchmark as having a bonafide website. That little green padlock next to your websites URL doesn't really mean much for a blog, but I always wanted one. At the start of last year I started thing about trying to get one.

Ever being a skinflint I wanted to pay nothing for it, but logic overcame this thinking as all the free ones either had massive catches that you had to manually renew them every thirty days or they were so free that browsers just didn't rattify them as being legit.

I'd decided at this point to drop the princely sum of $15 on a three year Comodo certificate from these guys. There was a possible stitch up of evorbadent fees come renewal time but my limited research showed up that like car insurance you just go somewhere else to pick up a bargain price again.

Roll on one year and I still hadn't got round to doing it but in my quest to re-find where I'd intended to buy when I came across LetsEncrypt.org, free, auto-renewing and recognised by all the major browers - cool!

So I'll crack on with how to get it on your machine in not time at all....

Instructions

So before we start, check the version of the operating system you are running as the install instructions do vary:

cat /etc/os-release

Certbot

My RaspberryPi Model B is running wheezy so the install instructions from the Certbot wesite gives this this (check the rest of the page in the link for instructions for your OS if different):

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Authentification

There are two ways for you to prove ownership of the website:

  • let Certbot automatically authenticate it by launching a standalone server temporarily  
  • or setting up a directory for it to place some files temporarily

I did try the former byrunning the command

./certbot-auto

But for some reason I got an error back that there was already a server running on port 443 - fairly obvious really, and I would have thought that it could automatically stop the apache server for a moment to enable it to complete seeing as it'd have to in the future to renew your licences. Having read back the instruction in writing this post perhaps I should have added a --apache switch, but too late now...

Webroot

As I said, the other method requires use of an available folder to serve up some files, as my website runs some pretty comprehensive Rewrites chances of it working were slim so after a quick google showed up this set-up in Apache's generic.conf - should be handy for me to be able to quickly get certificates to my other hosted sites later if all goes well. Here is the code you'll need to add for a multisite webroot. To add it, fire up the config with:

sudo nano /etc/apache2/conf.d/generic.conf

and add this code:

Alias /.well-known/acme-challenge/ 
/var/www/html/.well-known/acme-challenge/ 
<Directory "/var/www/html/.well-known/acme-challenge/">
     Options None
     AllowOverride None
     ForceType text/plain
     RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" 
</Directory>

To save and exit ctrl+o, enter then ctrl+x. Make sure to change the path to wherever your website is served from in then above then you'll have to reload to apache config at this point to go ahead and and run:

sudo service apache reload

then we can get on with running Certbot and following the instructions:

./certbot-auto certonly

all was reported back as having successfully completed after a short time so good to go.

Certificate install

This is the bit of the process that took the longest for me - I'll admit most of it was user error! I have been runnig a server on port 443 with a snakeoil certificate for my admin login portal for a while and it has to be said the the default apache host script for it is rather lengthly so it took a bit of head scratching before I realised that I was still getting 'get me out of here' messages from my browser was that I hadn't removed all of the code from my previous config.

To add it to apache's default config, : 

sudo nano /etc/apache2/sites-available/default-ssl

update with the locations of your certificates:

SSLEngine on
SSLCertificateFile    /etc/letsencrypt/live/yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem

reload apache's config:

sudo service apache reload

And head over to your site to see if it working. If it is not working at this point then check your site at this handy website for diagnostics on your auth status:

https://www.digicert.com/help/

Renewal

Add cron job to auto renew

crontab -e

then add this

# Renew letsencrypt certificate 31 3 * * * /home/pi/bin/certbot/certbot-auto renew --quiet --no-self-upgrade --post-hook "sudo service apache2 reload"

then we are all done, I've still got a couple of months to wait to see of it actually workks, but stay posted and I'll let you know.

Additional domains

I was actually so pleased with the results that I went straight ahead and added my other domain philfish.co.uk to the certificate as well, I can report that the multiple webroot worked a charm and the whole process was finished in a couple of minutes just with the --expand switch with this bit of code.

 

 


Share page

Subscribe to newsletter

Search Posts

Back to top