Tags Archives: certbot

SSL Certificate Renewal Using Lets Encrypt and Certbot

SSL Certificate Renewal Using Lets Encrypt and Certbot

root@gemini:/home/kevin# certbot certonly -d kevwells.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

 

How would you like to authenticate with the ACME CA?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3

Plugins selected: Authenticator webroot, Installer None

Cert is due for renewal, auto-renewing…

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kevwells.com

Input the webroot for kevwells.com: (Enter ‘c’ to cancel): /var/www/kevwells.com

Waiting for verification…
Cleaning up challenges

 

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/kevwells.com/fullchain.pem

 

Your key file has been saved at:
/etc/letsencrypt/live/kevwells.com/privkey.pem

 

Your cert will expire on 2021-02-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”

– If you like Certbot, please consider supporting our work by:

 

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

 

root@gemini:/home/kevin#

 

 

root@gemini:/var/www# certbot certonly -d nextcloud.kevwells.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

 

How would you like to authenticate with the ACME CA?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3

Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:

http-01 challenge for nextcloud.kevwells.com
Input the webroot for nextcloud.kevwells.com: (Enter ‘c’ to cancel): /var/www/nextcloud

Waiting for verification…
Cleaning up challenges

 

 

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nextcloud.kevwells.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nextcloud.kevwells.com/privkey.pem

 

Your cert will expire on 2021-02-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”

– If you like Certbot, please consider supporting our work by:

 

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

root@gemini:/var/www#

Continue Reading

How To Obtain An SSL Certificate From Lets Encrypt

Prerequisite for obtaining an SSL certificate is that the domain name for which the SSL certificate is to be obtained is defined as a publicly accessible FQDN and is DNS resolvable.

 

So you need to make sure you first have an appropriate DNS record for the server in question. I defined the server initially thus: gemininew.kevwells.com with an A record for the IP address.

 

NOTE: I cannot at this stage use my kevwells.com domain as this is already defined pointing to the different IP address for the current gemini server. Later this will be modified and “gemininew.kevwells.com will be removed from DNS, the gemininew server will be renamed gemini, and the DNS record for kevwells.com will point to the gemininew IP address.

 

The DNS entry is defined on my DNS records at my virtual provider, using the account admin dashboard.

 

Once this is done, waiting a few minutes for DNS propagation, the SSL certificate installation procedure can begin.

 

Initially, my sites-enabled file will look like this:

 

root@gemini:/etc/apache2/sites-enabled# cat kevwells.com.conf

 

<VirtualHost *:80>
ServerName kevwells.com
ServerAlias www.kevwells.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

 

This entry is necessary in order to validate the website domain with Lets Encrypt. We can use this virtual host port 80 configuation to obtain an SSL certificate.

 

First, install certbot:

 

apt-get install certbot python3-certbot-apache

 

then run certbot:

 

certbot –apache -d kevwells.com

 

NOTE: this will instruct certbot to automatically modify the apache configuration for the https for this host.

 

You then have to change the /etc/apache2/ports.conf of apache from port 443 to 444 as Lets Encrypt automatically adds this entry (since I’m using sslh which listens on 443 and is configured to redirect https to 444).

 

Remember to restart apache2 after making these modifications.

 

The sites-enabled file now looks like this (after manually correcting certbot’s entry addition from port 443 to port 444 where appropriate):

 

root@gemini:/etc/apache2/sites-enabled# cat kevwells.com.conf

 

<VirtualHost *:80>
ServerName kevwells.com
ServerAlias www.kevwells.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

 

<IfModule mod_ssl.c>

 

<VirtualHost 127.0.0.1:444>

 

ServerName kevwells.com
ServerAlias www.kevwells.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

 

Include /etc/letsencrypt/options-ssl-apache.conf

 

SSLCertificateFile /etc/letsencrypt/live/kevwells.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kevwells.com/privkey.pem

 

</VirtualHost>
</IfModule>

 

 

Finally, test the configuration:

 

Check the resolution and website availability in a web-browser by calling:

 

https://gemininew.kevwells.com

 

This should resolve and display the site. Initially there may be an “SSL Site Security Warning”. This can be clicked away and provided the configuration is correct the site should then display correctly.

 

 

 

 

 

Continue Reading