Getting started with Let's Encrypt SSL Certificates on Ubuntu
This tutorial will guide you through your very first configuration of an SSL website with Let's Encrypt certification. Let's Encrypt is a new SSL authority that provides free SSL certificates. We are going to use two existing tutorials (“How to setup an intermediate compatible SSL website with Let's Encrypt certificate” and “The Perfect Server - Ubuntu 15.10 (Wily Werewolf) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3”).
The setup described here is compatible with any Ubuntu LAMP server, so you can use this one as the basis setup too.
This tutorial will show you how to setup Let's Encrypt on Servers without ISPConfig 3 as there will be a direct implementation of the Let's Encrypt service in the next ISPConfig 3 release (version 3.1) soon. So if you plan to use ISPConfig, wait for the 3.1 release and also a new tutorial.
Creating the website
The 1st step is to create the website configuration and directory and enable SSL (Apache mod_ssl) for it. It's up to you if you use the default configuration for one website on a server or you plan to use multiple vhosts to host more than one domain. For more reliable and scalable usage, I'll create a vhost configuration for my “lab” domain isp1.cloudapp.net from Azure.
All vhosts are stored in the /etc/apache2/sites-available directory by default on Ubuntu and Debian. Run the following command to retrieve a list of existing vhost configuration files.
ls -l /etc/apache2/sites-available/
My output looks like this:
root@isp1:/home/falco# ls -l /etc/apache2/sites-available/
-rw-r–r– 1 root root 1332 May 20 2015 000-default.conf
-rw-r–r– 1 root root 6437 May 20 2015 default-ssl.conf
We can now use the “default” configuration file for cloning and edit it or we can use our own configuration. I prefer using my own configuration as I do that for many years, so let's create a new vhost by creating the file:
vi /etc/apache2/sites-available/isp1.cloudapp.net.conf
In this file paste, the following content:
<VirtualHost *:80> ServerName isp1.cloudapp.net ServerAlias www.isp1.cloudapp.net DocumentRoot /home/web/isp1.cloudapp.net/public_html ErrorLog /home/web/isp1.cloudapp.net/log/habdak.eu_error_log CustomLog /home/web/isp1.cloudapp.net/log/habdak.eu_access_log combinedScriptAlias /cgi-bin/ /home/web/isp1.cloudapp.net/cgi-bin/ DirectoryIndex index.html index.htm index.php index.php4 index.php5 <Directory /home/web/isp1.cloudapp.net/public_html> Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI allow from all AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch Require all granted AddType application/x-httpd-php .php AddType application/json .json </Directory> <Directory /home/web/isp1.cloudapp.net/cgi-bin> allow from all AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch Require all granted </Directory> RemoveHandler .php RemoveHandler .php5 php_admin_value engine Off IPCCommTimeout 301 FcgidMaxRequestLen 1073741824 php_value memory_limit 128M php_value suhosin.session.encrypt Off </VirtualHost> <VirtualHost *:443> ServerName isp1.cloudapp.net ServerAlias www.isp1.cloudapp.net DocumentRoot /home/web/isp1.cloudapp.net/public_html ErrorLog /home/web/isp1.cloudapp.net/log/habdak.eu_error_log CustomLog /home/web/isp1.cloudapp.net/log/habdak.eu_access_log combined ScriptAlias /cgi-bin/ /home/web/isp1.cloudapp.net/cgi-bin/ DirectoryIndex index.html index.htm index.php index.php4 index.php5 <Directory /home/web/isp1.cloudapp.net/public_html > Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI allow from all AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch Require all granted AddType application/x-httpd-php .php AddType application/json .json </Directory> <Directory /home/web/isp1.cloudapp.net/cgi-bin > allow from all AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch Require all granted </Directory> RemoveHandler .php RemoveHandler .php5 php_admin_value engine Off IPCCommTimeout 301 FcgidMaxRequestLen 1073741824 php_value memory_limit 128M php_value suhosin.session.encrypt Off SSLEngine on SSLCertificateFile /home/web/isp1.cloudapp.net /ssl.cert SSLCertificateKeyFile /home/web/isp1.cloudapp.net /ssl.key SSLCACertificateFile /home/web/isp1.cloudapp.net /ssl.ca SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLProtocol All -SSLv2 -SSLv3 SSLCompression off SSLHonorCipherOrder On </VirtualHost>
Replace the domain name with your domain wherever it occurs and save the file. To activate the configuration, run:
a2ensite isp1.cloudapp.net.conf
Now reate the folders for the website:
mkdir /home/web
mkdir /home/web/isp1.cloudapp.net
mkdir /home/web/isp1.cloudapp.net/public_html
mkdir /home/web/isp1.cloudapp.net/cgi-bin
mkdir /home/web/isp1.cloudapp.net/logs
Restart apache to apply the new configuration:
sudo service apache2 restart
Now we have to generate the certificate files.
Install Let's Encrypt and generate your first SSL Certificate
I prefer to use the root login for administration instead of running sudo before each command, so let's su to root user:
sudo su
Navigate to your roots home directory:
cd ~root
Install git for fetching the Let's Encrypt git repository files:
apt-get install git
Now clone the Let's Encrypt git repository:
git clone https://github.com/letsencrypt/letsencrypt.git letsencrypt
Navigate to your new letsencrypt folder:
cd letsencrypt
And request your SSL certificate:
./letsencrypt-auto certonly –webroot -w /home/web/isp1.cloudapp.net/public_html -d isp1.cloudapp.net
If you request a certificate for the master domain (1st level domain aka cloudapp.net) use -d parameter twice. With and without www prefix like this:
./letsencrypt-auto certonly –webroot -w /home/web/cloudapp.net/public_html -d cloudapp.net -d www.cloudapp.net
If you won't do this, the certificate won't be valid for visitors opening your site with www prefix.
You can also add other subdomains to one certificate. For example, if your subdomain admin.cloudapp.net matches the same site (the same folder on the server), you should add it to this certificate as well. Unfortunately, you can't use a wildcard like (*.cloudapp.net) with let's encrypt.
Let's Encrypt will automatically update all dependencies and guide you through its setup. All you need to do is wait for the prompt window asking you for your e-mail address. This address is used for recovering lost data only.
Your new keys are now stored in /etc/letsencrypt/ by default. We are going to link them to our website directory so we can manage the keys later.
ln -s /etc/letsencrypt/archive/isp1.cloudapp.net/cert1.pem /home/web/isp1.cloudapp.net/ssl.cert
ln -s /etc/letsencrypt/archive/isp1.cloudapp.net/chain1.pem /home/web/isp1.cloudapp.net/ssl.ca
ln -s /etc/letsencrypt/archive/isp1.cloudapp.net/privkey1.pem /home/web/isp1.cloudapp.net/ssl.key
Now you should be able to access your website with SSL. Let's Encrypt will automatically inform you about expiring certificates in time by sending you an e-mail to the address you have provided within the installation of Let's Encrypt.