Installing and Configuring Let’s Encrypt SSL

On the test I will install Let’s Encrypt which allows you to install free SSL certificates for 90 days and automatically re-issue them.

Let’s say that Apache2 is installed on Ubuntu Server and there is one site for which we configured one configuration file /etc/apache2/sites-available/test.conf and turned it on:

sudo a2ensite test
sudo service apache2 restart

See the configuration example in my article – Installing and Configuring the Apache2 Web Server
The site works by HTTP on 80, now we start installation of Let’s Encrypt:

sudo apt-get update
sudo apt-get install git
sudo git clone /opt/letsencrypt

Let’s move to the directory with Let’s Encrypt and ask for a certificate for the site:

cd /opt/letsencrypt
sudo ./letsencrypt-auto --apache -d

You can also request for a www subdomain:

sudo ./letsencrypt-auto --apache -d -d

To obtain a certificate, the site must be accessible by a domain name from the Internet through port 80.
For resources within the network, with gray IP, you can not get a certificate.

After receiving the certificate, another configuration file /etc/apache2/sites-available/test-le-ssl.conf was created and activated with the following contents:

<IfModule mod_ssl.c>
<VirtualHost *:443>
     DocumentRoot /var/www/ixnfo/
     <Directory /var/www/ixnfo>
     Options -Indexes
     AllowOverride All
     Order allow,deny
     allow from all
     ErrorLog /var/log/ixnfo.error.log
     CustomLog /var/log/ixnfo.access.log combined
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf

Since during the receipt of the certificate I agreed to forward HTTP requests to HTTPS, at the end of my configuration file /etc/apache2/sites-available/test.conf the following was added:

RewriteEngine on
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

After the certificate expires, you can update it with the command:

sudo /opt/letsencrypt/letsencrypt-auto renew

You can also add a command to Cron for automatic updates, see my article – Using and configuring CRON

Example of adding to Cron (every Monday at 3:15):

sudo crontab -e
15 3 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt-renew.log

If the certificate expires and the update command is executed, nothing happens:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/ expires on 2018-08-01 (skipped)
No renewals were attempted.

See also:
Installing Certbot in Ubuntu

Leave a comment

Leave a Reply