Lets encrypt

From wiki.techunit.org
(Redirected from Let's encrypt)
Jump to: navigation, search

Introduction

This tutorial will show you how to set up a TLS/SSL certificate from Let’s Encrypt. We will also cover how to automate the certificate renewal process using a cron job.
SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.

Prerequisites

  • A running Web server
  • FQDN must be public
  • Git must be installed

Configuration

Download sources

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Certificate Setup/Apache

/opt/letencrypt/letsencrypt-auto --apache -d example.com # one domain
/opt/letencrypt/letsencrypt-auto --apache -d example1.com -d example2.com # multiple domain
  • Domain name must be the same as the virtualhost
  • An email address will be requested
  • you will be able to choose between enabling both http and https access or force all requests to redirect to https

Once completed, letsencrypt will create virtualhost and reload apache2.

Certificate Setup/Certonly

In case of using reverse proxy, you would have to use another command line

/opt/letencrypt/letsencrypt-auto certonly -w /var/www/example.com/ -d example.com
/opt/letencrypt/letsencrypt-auto certonly certonly --webroot -w /var/www/example/ -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net

Certificate renewal

Manually

/opt/letencrypt/letsencrypt-auto certonly --apache --renew-by-default -d example.com -d www.example.com

Automatic - le-renew

Download le-renew script

wget -P /usr/local/sbin/ http://do.co/le-renew
chmod 700 /usr/local/sbin/le-renew

Create a cron job, edit /etc/cron.d/le-renew

# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
  0  2  *  *  1 root /usr/local/sbin/le-renew example.com >> /var/log/le-renew.log

Create log file

touch /var/log/le-renewal.log

Sources

Elliot
techUnit's cofounder