Implementing SSL Using Let’s Encrypt

I recently decided to implement SSL certificates for all of my published websites. Rather than pay the high costs that commercial cert providers charge, I opted for using Let’s Encrypt. This turned out to be a lot easier than I expected, though I did run into a few gotchas.

First, go the EFF’s Certbot website and use the interactive selector to find the appropriate instructions for the OS/server combo for your system. In my case, I’m running Apache on Ubuntu 16.04. Here’s how I installed the app on my server:

$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

Second step is to run the app. The simplest way to do this (for my configuration) is with the following code:

$ sudo certbot --apache

Although this will work fine, I host a number of different projects on the same server. Best practice in this scenario is to certify each hosted domain individually. It’s also best practice to include any aliases and sub-domains as well. Here’s an example for one of my projects:

$ sudo certbot --apache -d skiddlebop.com -d www.skiddlebop.com -d blog.skiddlebop.com

Note that it’s important to start the list of domains with simple version of the name first as show above.

This is where my first ‘gotcha’ happened. Silly me, I never thought to set my router to direct https requests to Port 443. Once I fixed this, certbot ran just perfectly, although it now threw a different error.

My second ‘gotcha’ was that I had never enabled the mod_ssl module in Apache. In short, Apache was not listening for anything on Port 443. This turned out to be a super-easy fix as well:

sudo a2enmod ssl

Followed by:

sudo service apache2 restart

Then followed by:

apache2ctl -M

… to confirm the module was enabled.

When the instruction runs successfully, the app will ask for some details. Among these, you’ll be asked to choose between allowing both http and https requests or forcing all requests to https. I went with the second, more secure option.

Third, I confirmed that all was working properly using Qualys.com’s SSL testing tool at https://www.ssllabs.com/ssltest/index.html.

Fourth, and finally, I set up a cron job to update the certs when they expire. (Let’s Encrypt certs only last for 90 days, so this is important.)

At the command line, I entered the following instruction to first confirm that cert updating actually works properly for my install. Here’s the code:

$ sudo certbot renew --dry-run

With confirmation in hand, the next thing is to set up a cron job to run this on a daily basis. This involved adding something like the following instruction to /etc/crontab:

15 3 * * * /usr/bin/certbot renew --quiet

Choose whatever run schedule you want. I went for 3:15 every afternoon. Note this will only renew certs that are about to expire. This helps to avoid into any over-quota situations.

Wrap-up

This tutorial at Digital Ocean was quite useful in understanding the above process. I also found the Certbot documentation, the community forum at Let’s Encrypt, and the documentation at Let’s Encrypt to be very useful.

 

Leave a Reply

Your email address will not be published. Required fields are marked *