Tags Archives: certbot

Renewing SSL Certificates for Apache Virtual Domains

The procedure for renewing SSL certificates for an Apache virtual domain is described below.

 

 

 

There are some problems here which we need to be aware of:

 

 

  • 1. We have to activate port 80 for the virtual domain in apache in order for the letsencrypt certbot server to communicate with the domain to approve the certificate renewal.

 

  • 2. We are using sslh multiplexer which listens for all traffic coming in on port 443. It sends ssh traffic on to 22 and apache traffic on to 444. Thus we are running apache on 444 instead of the conventional standard 443, this is so apache does not conflict with sslh multiplexer 

 

  • 3. The certbot process automatically reconfigures our apache ports.conf file port to the standard 443 for https/SSL whih causes problems. So we have to manually edit this file afterward and change it back to 444.

 

  • 4. And finally after the SSL certificate has been successfully renewed we must then change back the apache config to disable port 80 so apache only then listens once again on port 444

 

 

 

Here is the process in practice:

 

 

root@gemini:/etc/apache2/sites-enabled# certbot –apache -d nextcloud.kevwells.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.kevwells.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
root@gemini:/etc/apache2/sites-enabled#

 

 

Solution:

 

Activate Port 80

 

You need to activate port 80 for nextcloud.kevwells.com in the /etc/apache2/sites-available/

 

to do this use the config file:

 

000-default.conf.use.this.for.port.80.nextcloud.ssl.certificate.renewal

 

as follows:

 

a2dissite 000-default.conf

 

a2ensite 000-default.conf.use.this.for.port.80.nextcloud.ssl.certificate.renewal.conf

 

systemctl restart apache2

 

 

Obtain the new ssl certificate

 

To do this, run certbot:

 

root@gemini:/etc/apache2/sites-enabled# certbot –apache -d nextcloud.kevwells.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.kevwells.com
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default.conf

 

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 3

** Invalid input **
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the –redirect and –no-redirect flags.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://nextcloud.kevwells.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=nextcloud.kevwells.com
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

 

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nextcloud.kevwells.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nextcloud.kevwells.com-0001/privkey.pem
Your cert will expire on 2022-10-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

root@gemini:/etc/apache2/sites-enabled#

 

 

Put the new certificate in the proper location on our server

 

Note the location of the new certificate and the name it is given. We prefer to change this to our standard location folder and file name.

 

So move the new keys to the folder already in use for SSL certificates to /etc/letsenrypt/live/nextcloud.kevwells.com/

 

(instead of using /etc/letsencrypt/live/nextcloud.kevwells.com-0001 as source created by certbot during the renewal process).

 

 

You also have to rename the certificates from privkey2.pem etc, because they are symbolic links and we don’t use them for the standard location:

 

Remove the symlinks and replace with the actual certificate files at /etc/letsenrypt/live/nextcloud.kevwells.com/

 

Next, Apache Port Reconfiguration:

 

Certbot changes the standard apache https port from 444 to 443 in /etc/apache2/ports.conf.

 

As we use an sslh multiplexer on gemini to listen on 443 and split ssh traffic to ssh 22 and https traffic to 444…we need to change this back.

So, set correctly for our sslh config it will look like this:

 

root@gemini:/etc/apache2# cat ports.conf
#NOTE! gemini: running sslh with apache and ssh!

#after running the certbot app to renew the SSL certificates for apache domains, certbot changes the port designations to the standard 443

#this will not work for my configuration as we use sslh on port 443 on gemini which forwards to port 444 on apache. ie, we have to use port 444 for apache
#and not the standard 443. Otherwise apache will not start.

#So, make sure to change back the ports.conf configuration from port 443 to port 444: as below.

 

/etc/apache2/ports.conf should look like this:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

#Listen 80
##Listen 8080

#<IfModule ssl_module>
# Listen 443
#Listen 444
#</IfModule>

<IfModule mod_ssl.c>
#Listen 443
Listen 444
</IfModule>

<IfModule mod_gnutls.c>
Listen 444
# Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
root@gemini:/etc/apache2#

 

 

Next, reactivate the correct sites-available config for apache and restart the webserver:

 

Disable the temporary /etc/apache2/sites-available/000-default.conf.use.this.for.port.80.nextcloud.ssl.certificate.renewal.conf

 

(this was needed to activate nextcloud.kevwells.com on port http 80 for the purpose of renewing the ssl certificate from letsencrypt using certbot).

 

Finally, reactivate the main sites-available file ie 000-default.conf and then restart apache:

 

a2dissite 000-default.conf.use.this.for.port.80.nextcloud.ssl.certificate.renewal.conf
a2ensite 000-default.conf
systemctl start apache2

 

Apache should then be running correctly on 444 and nextcloud.kevwells.com should be reachable via https on 443 from sslh

 

(you enter https://nextcloud.kevwells.com in browser as per usual, NOT https://nextcloud.kevwells.com:444)

 

 

 

Continue Reading

SSL Certificate Renewal Using Lets Encrypt and Certbot

SSL Certificate Renewal Using Lets Encrypt and Certbot

root@gemini:/home/kevin# certbot certonly -d kevwells.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

 

How would you like to authenticate with the ACME CA?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3

Plugins selected: Authenticator webroot, Installer None

Cert is due for renewal, auto-renewing…

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kevwells.com

Input the webroot for kevwells.com: (Enter ‘c’ to cancel): /var/www/kevwells.com

Waiting for verification…
Cleaning up challenges

 

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/kevwells.com/fullchain.pem

 

Your key file has been saved at:
/etc/letsencrypt/live/kevwells.com/privkey.pem

 

Your cert will expire on 2021-02-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”

– If you like Certbot, please consider supporting our work by:

 

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

 

root@gemini:/home/kevin#

 

 

root@gemini:/var/www# certbot certonly -d nextcloud.kevwells.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

 

How would you like to authenticate with the ACME CA?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3

Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:

http-01 challenge for nextcloud.kevwells.com
Input the webroot for nextcloud.kevwells.com: (Enter ‘c’ to cancel): /var/www/nextcloud

Waiting for verification…
Cleaning up challenges

 

 

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nextcloud.kevwells.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nextcloud.kevwells.com/privkey.pem

 

Your cert will expire on 2021-02-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”

– If you like Certbot, please consider supporting our work by:

 

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

root@gemini:/var/www#

Continue Reading

How To Obtain An SSL Certificate From Lets Encrypt

Prerequisite for obtaining an SSL certificate is that the domain name for which the SSL certificate is to be obtained is defined as a publicly accessible FQDN and is DNS resolvable.

 

So you need to make sure you first have an appropriate DNS record for the server in question. I defined the server initially thus: gemininew.kevwells.com with an A record for the IP address.

 

NOTE: I cannot at this stage use my kevwells.com domain as this is already defined pointing to the different IP address for the current gemini server. Later this will be modified and “gemininew.kevwells.com will be removed from DNS, the gemininew server will be renamed gemini, and the DNS record for kevwells.com will point to the gemininew IP address.

 

The DNS entry is defined on my DNS records at my virtual provider, using the account admin dashboard.

 

Once this is done, waiting a few minutes for DNS propagation, the SSL certificate installation procedure can begin.

 

Initially, my sites-enabled file will look like this:

 

root@gemini:/etc/apache2/sites-enabled# cat kevwells.com.conf

 

<VirtualHost *:80>
ServerName kevwells.com
ServerAlias www.kevwells.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

 

This entry is necessary in order to validate the website domain with Lets Encrypt. We can use this virtual host port 80 configuation to obtain an SSL certificate.

 

First, install certbot:

 

apt-get install certbot python3-certbot-apache

 

then run certbot:

 

certbot –apache -d kevwells.com

 

NOTE: this will instruct certbot to automatically modify the apache configuration for the https for this host.

 

You then have to change the /etc/apache2/ports.conf of apache from port 443 to 444 as Lets Encrypt automatically adds this entry (since I’m using sslh which listens on 443 and is configured to redirect https to 444).

 

Remember to restart apache2 after making these modifications.

 

The sites-enabled file now looks like this (after manually correcting certbot’s entry addition from port 443 to port 444 where appropriate):

 

root@gemini:/etc/apache2/sites-enabled# cat kevwells.com.conf

 

<VirtualHost *:80>
ServerName kevwells.com
ServerAlias www.kevwells.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

 

<IfModule mod_ssl.c>

 

<VirtualHost 127.0.0.1:444>

 

ServerName kevwells.com
ServerAlias www.kevwells.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

 

Include /etc/letsencrypt/options-ssl-apache.conf

 

SSLCertificateFile /etc/letsencrypt/live/kevwells.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kevwells.com/privkey.pem

 

</VirtualHost>
</IfModule>

 

 

Finally, test the configuration:

 

Check the resolution and website availability in a web-browser by calling:

 

https://gemininew.kevwells.com

 

This should resolve and display the site. Initially there may be an “SSL Site Security Warning”. This can be clicked away and provided the configuration is correct the site should then display correctly.

 

 

 

 

 

Continue Reading