-
Notifications
You must be signed in to change notification settings - Fork 1
LetsEncrypt
Lets's Encrypt for free SSL/TLS certificates.
There's plenty of documentation at the above link.
The following uses maps.solidarityeconomy.coop as an example.
Configure the subdomain in DNS:
The way we do this is to edit the DNS zonefile at git.coop (that link won't work for you if you don'e have permission!). For example, the record for the subdomain maps.solidarityeconomy.coop looks like this:
maps IN A 99.99.99.99
where 99.99.99.99 is the ip address of the server which serves that subdomain (the one where apache needs to be configured, in the following steps).
Define the VirtualHost in Apache:
matt@ise-0:/etc/apache2/sites-available$ cat maps.solidarityeconomy.coop.conf
<VirtualHost *:80>
ServerName maps.solidarityeconomy.coop
DocumentRoot "/var/www/html/maps"
<Directory "/var/www/html/maps">
Options +FollowSymLinks +Indexes
AllowOverride All
</Directory>
</VirtualHost>
Ensure the root directory exists:
matt@ise-0:/etc/apache2/sites-available$ ls -ld /var/www/html/maps/
drwxrwxr-x 3 admin admin 4096 Apr 5 12:36 /var/www/html/maps/
Check the apache config:
matt@ise-0:/etc/apache2/sites-available$ sudo apachectl configtest
Syntax OK
Enable the new site:
matt@ise-0:/etc/apache2/sites-available$ sudo a2ensite maps.solidarityeconomy.coop
Enabling site maps.solidarityeconomy.coop.
To activate the new configuration, you need to run:
service apache2 reload
matt@ise-0:/etc/apache2/sites-available$ sudo service apache2 reload
Create the Let's Encrypt certificates:
matt@ise-0:/etc/apache2/sites-available$ sudo certbot -d maps.solidarityeconomy.coop
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/maps.solidarityeconomy.coop.conf)
What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/maps.solidarityeconomy.coop-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/maps.solidarityeconomy.coop-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/maps.solidarityeconomy.coop-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/maps.solidarityeconomy.coop.conf to ssl vhost in /etc/apache2/sites-available/maps.solidarityeconomy.coop-le-ssl.conf
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled
https://maps.solidarityeconomy.coop
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=maps.solidarityeconomy.coop
-------------------------------------------------------------------------------
Note, in the above, there was an existing certificate due to earlier testing. You may not see this.
Are you seeing this?
$ sudo certbot -d data1.solidarityeconomy.coop
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
A temporary fix to this was proposed at https://github.com/certbot/certbot/issues/5405, but certificates installed this way would fail to renew :-(.
There's a very useful discussion at https://github.com/certbot/certbot/issues/5447, which points out that you need to ensure you have certbot cersion at least 0.21.
I needed a dist-upgrade to get this:
$ sudo apt-get dist-upgrade
...
$ certbot --version
certbot 0.22.2