SSL with Certbot Let's Encrypt

Posted under » Ubuntu » Apache on 28 Jul 2021

In order to obtain an SSL certificate with Let’s Encrypt, we’ll first need to install the Certbot software on your server.

We need two packages: certbot, and python3-certbot-apache. The latter is a plugin that integrates Certbot with Apache, making it possible to automate obtaining a certificate and configuring HTTPS within your web server with a single command.

$ sudo apt install certbot python3-certbot-apache

The Apache plugin will take care of reconfiguring Apache and reloading the configuration whenever necessary. To use this plugin, type the following:

$ sudo certbot --apache

There are a few straight forward questions. The last question is this

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Choose 2 or redirect. Once done, you will see this.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/anoneh.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/anoneh.com/privkey.pem
  Your cert will expire on 2021-10-27. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:  https://eff.org/donate-le

I don't even have to restart apache and I can now access via https.

Let’s Encrypt’s certificates are only valid for ninety days but that's ok because it is free.

The certbot package we installed takes care of renewals by including a renew script to /etc/cron.d, which is managed by a systemctl service called certbot.timer. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

To check the status of this service and make sure it’s active and running, you can use:

To test the renewal process, you can do a dry run with certbot:

$ sudo certbot renew --dry-run

When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

For more information.

web security linux ubuntu python django git Raspberry apache mysql php drupal cake javascript css AWS data