Easy Peasy SSL

Do you have a blog or small site running on Apache Linux? Then you really need to consider securing it using Let’s Encrypt. As a free, easy to use, “set it and forget it” method for making your site have that oh so lovely & secure HTTPS prefix then this is a must. Once setup it should mean your site is secure and updates automatically!

Please note – although Let’s Encrypt can be used in lot’s of commercial applications you still might want to consider a more commercially oriented SSL certificate provider. I personally use Digicert for our main certs on our production servers

1. Install Cerbot to your home directory: Skip this step if already installed

Hint: ~ is the equivalent of your home directory i.e. /home/ec2-user/

cd ~ 
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

2. What domain are you securing? – include www or another subdomain

3. What’s it’s document root directory on your server? E.g. /var/www/html/mywebsite.com/ – Don’t forget the end /

4. Now let’s get some certificates:

sudo ~/certbot-auto certonly --debug --webroot -w ??? -d ???

…this should have created you 3 certs in /etc/letsencrypt/live/???/ called cert.pem, privkey.pem & chain.pem (Take a look)

5. Now add this to your vhosts.conf file sudo vim /etc/httpd/conf.d/vhosts.conf:

<VirtualHost *:443> 
    SSLEngine on 
    SSLCertificateFile /etc/letsencrypt/live/???/cert.pem 
    SSLCertificateKeyFile /etc/letsencrypt/live/???/privkey.pem 
    SSLCertificateChainFile /etc/letsencrypt/live/???/chain.pem 
    ServerName ???
    DocumentRoot ???
    ErrorLog /var/www/private/error_logs/https.???.log
    #ServerAdmin info@???
    <Directory "???"> 
        AllowOverride All 
    </Directory> 
</VirtualHost>

6. Reload Apache: sudo service httpd reload:

7. Test your SSL setup using this URL: https://www.ssllabs.com/ssltest/analyze.html?d=???

8. Test the auto renewal process: ~/certbot-auto renew --dry-run

9. If all good lets run a cron job to do the auto check twice a day:

sudo crontab -e
45 4,16 * * * ~/certbot-auto renew --quiet # Twice a day