How To Obtain An SSL Certificate From Lets Encrypt

Prerequisite for obtaining an SSL certificate is that the domain name for which the SSL certificate is to be obtained is defined as a publicly accessible FQDN and is DNS resolvable.

 

So you need to make sure you first have an appropriate DNS record for the server in question. I defined the server initially thus: gemininew.kevwells.com with an A record for the IP address.

 

NOTE: I cannot at this stage use my kevwells.com domain as this is already defined pointing to the different IP address for the current gemini server. Later this will be modified and “gemininew.kevwells.com will be removed from DNS, the gemininew server will be renamed gemini, and the DNS record for kevwells.com will point to the gemininew IP address.

 

The DNS entry is defined on my DNS records at my virtual provider, using the account admin dashboard.

 

Once this is done, waiting a few minutes for DNS propagation, the SSL certificate installation procedure can begin.

 

Initially, my sites-enabled file will look like this:

 

root@gemini:/etc/apache2/sites-enabled# cat kevwells.com.conf

 

<VirtualHost *:80>
ServerName kevwells.com
ServerAlias www.kevwells.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

 

This entry is necessary in order to validate the website domain with Lets Encrypt. We can use this virtual host port 80 configuation to obtain an SSL certificate.

 

First, install certbot:

 

apt-get install certbot python3-certbot-apache

 

then run certbot:

 

certbot –apache -d kevwells.com

 

NOTE: this will instruct certbot to automatically modify the apache configuration for the https for this host.

 

You then have to change the /etc/apache2/ports.conf of apache from port 443 to 444 as Lets Encrypt automatically adds this entry (since I’m using sslh which listens on 443 and is configured to redirect https to 444).

 

Remember to restart apache2 after making these modifications.

 

The sites-enabled file now looks like this (after manually correcting certbot’s entry addition from port 443 to port 444 where appropriate):

 

root@gemini:/etc/apache2/sites-enabled# cat kevwells.com.conf

 

<VirtualHost *:80>
ServerName kevwells.com
ServerAlias www.kevwells.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

 

<IfModule mod_ssl.c>

 

<VirtualHost 127.0.0.1:444>

 

ServerName kevwells.com
ServerAlias www.kevwells.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

 

Include /etc/letsencrypt/options-ssl-apache.conf

 

SSLCertificateFile /etc/letsencrypt/live/kevwells.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kevwells.com/privkey.pem

 

</VirtualHost>
</IfModule>

 

 

Finally, test the configuration:

 

Check the resolution and website availability in a web-browser by calling:

 

https://gemininew.kevwells.com

 

This should resolve and display the site. Initially there may be an “SSL Site Security Warning”. This can be clicked away and provided the configuration is correct the site should then display correctly.