Using Let’s Encrypt with Apache2

https://letsencrypt.org/images/letsencrypt-logo-horizontal.svg

https://letsencrypt.org/images/letsencrypt-logo-horizontal.svg

Let’s Encrypt is a project provided by the Internet Security Research Group (ISRG), which let’s you use SSL certificates for free. Not only free, but it also generates the certificates so the procedure is more or less automatic.

Let's Encrypt Certificate

I believe that the whole project is a great thing, as it gives every webpage owner the chance to secure their website using https://. Let’s encrypt is in public beta phase since this December and I have tested it. Let me show you how simple the certificate generation is and how to install the certificate on your Apache web server on a Linux server (CentOS, Debian, Ubuntu, …):

1a. Using the Apache Plugin

First off you will have to download the package from GitHub and install it by jumping into it and calling the auto installer:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Now you are almost ready. All you have to do now is call
./letsencrypt-auto --apache

This will check your Apache configuration files for domains and ask you which of them you would like to secure. Select the ones you want to secure by hitting the space bar to add/remove the [*] which indicates if it’s selected. Then Let’s Encrypt will do everything from you from generating the key and certificate to signing it.

1b. Generate manually

When I tried using the Apache plugin all my subdomains where displayed but not the actual domain I wanted to secure (example.com), so I had to get the certificate manually:

./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com

This command tells letsencrypt to fetch a certificate for example.com (if you want multiple domains secured, add another -d example.net behind it) and that /var/www/example is the web root of this domain (to verify that the domains belongs to you). This is all to it – the next step is the same. I noticed that I had to generate an extra certificate for www and non-www.

2. Installing it in Apache

When it’s done with generating and signing it will tell you, where the certificate files have been saved. If you go into that folder you will find the private key, chain, fullchain and certificate. You can use these files to configure the SSL in the Apache configuration. If you don’t have own Apache configuration files everything following will happen inside /etc/apache2/sites-available/default-ssl.conf.

Inside your configuration file change the SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile like so:
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

This is basically it. To make everything more secure, we will add following lines to it though
# Security Features
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

That’s it. Save, enter sudo service apache2 reload into your command line and you are on – if you already activated SSL else you will have to enable mod ssl first:
sudo a2enmod ssl
sudo service apache2 restart

I tested the SSL Connection with Qualy’s SSL Lab, the result was A:

Let's Encrypt Qualy's result

 

Example Script

If you want to only test the Let’s Encrypt Script for a subdomain, your config file could look like this:
<VirtualHost *:443>
DocumentRoot /var/www/test

ServerName example.com:443
ServerAlias example.de:443
ServerAlias www.example.com:443
ServerAlias www.example.de:443

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

# Security Features
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
</VirtualHost>

Edit from the 12.01.2016 The official documentation can be found here.

Update from the 16.08.2016 The letsencrypt client is now called certbot. I haven’t tested it but I believe the commands are mainly the same only with certbot-auto instead of letsencrypt-auto.

Comments are closed.