I’ve had my blog running on port 80 for years and have finally decided it is time to deprecate HTTP and move everything to a secure SSL connection. This decision was a lot easier to make now that Let’s Encrypt is providing free SSL certificates and has been out of beta since April. I also appreciate that the entire installation can be done via command line and that the certificate can be automatically renewed a month before it expires. Wahoo, no more pesky calendar reminders to tell me to hurry up and buy a new certificate before it expires and manually install it.
With that said, my blog is currently running on CentOS 6 with Apache with vhost files placed in a non-standard directory by DirectAdmin. This means I will have to manually add the certificate information to the vhost file for each host instead of letting Let’s Encrypt do all the work for me. That’s ok though, as I will only have to do this once.
Also, CentOS 6 will throw a little curve ball as it doesn’t have Python 2.7 setup by default and depends on Python 2.6 for yum. So, care will be taken to get them both setup on the machine.
Here are the steps needed to set up Let’s Encrypt. First, we need to set up the IUS repository with the following commands:
wget https://centos6.iuscommunity.org/ius-release.rpm
sudo rpm -Uvh ius-release*.rpm
rm ius-release.rpm
Then, we need to get Python setup:
sudo yum update
sudo yum install centos-release-scl python27 python27-devel python27-pip python27-setuptools python27-virtualenv
Next, we will install pip as that gives us any easy way to install Let’s Encrypt and update it in the future.
sudo easy_install-2.7 pip
Now we will install Let’s Encrypt (which also goes by the name certbot)
sudo pip2.7 install letsencrypt letsencrypt-apache
If you happen to have a very vanilla Apache setup and are running Debian then the following command to generate and install the certificate may magically setup everything for you. This was not the case for me so I didn’t use this step.
sudo certbot --apache -d brett.batie.com
Or, you could try to be more specific about where your config files are located for Apache as I did in the following command. However, at the time of this writing this does not work if your vhost file has more than one vhost in it. So, I didn’t use this step either.
sudo certbot --apache --apache-server-root /etc/httpd/ --apache-vhost-root /usr/local/directadmin/data/users/admin/httpd.conf -d www.brett.batie.com
The route that I actually took was to use the following command which only generates the certificate. This is the webroot approach which differs from the above Apache approach.
sudo certbot certonly --webroot --webroot-path /home/admin/domains/brett.batie.com/public_html/ -d brett.batie.com
This provided output like the following:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/brett.batie.com/fullchain.pem. Your cert will
expire on 2016-09-01. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Sweet, I have a certificate! Now, I just have to tell Apache to use it. My vhost file is located at /usr/local/directadmin/data/users/admin/httpd.conf
and I need to add the following 4 lines to the appropriate vhost in that file.
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/ryogasp.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ryogasp.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ryogasp.com/fullchain.pem
Now do a graceful restart of Apache and we should have the new SSL certificate up and running.
sudo service httpd graceful
You can load the site in your browser to see if it is using the new SSL certificate as well as test it at SSL Labs to see if you received a passing grade.
Since I decided to completely remove http (port 80) from my site I also added the following redirect which could be placed in the appropriate (port 80) vhost (preferable) or in a .htaccess file (less preferred).
Redirect / https://brett.batie.com/
Now, we just need to automate the certificate renewal by adding the following to a cronjob:
@monthly /usr/bin/certbot renew
As you can see there were a few steps involved in this process but overall I found this easier than generating certificate requests, verifying domain ownership, receiving an email with the certificate, needing to find the entire certificate chain and then manually put all the files where they needed to go. The fact that Let’s Encrypt is free and it simplifies the process makes it a no brainer and should help our Internet become a little more secure.