Securing Apache with SSL Certificates from Let's Encrypt
Applicability: If you are hosting a web site with Apache, you may want to add security to the Server/Client communications and Server Authentication. Let's Encrypt is a free, automated, and open certificate authority that is sponsored by the ISRG. A certificate from Let's Encrypt will enable you to implement HTTPS on your website. The Cerbot ACME client is used to automate certificate issuance.
Required Environment: This guide assumes that you already have already installed Apache and have implemented at least one website. This guide assumes that the Let's Encrypt software and cerbot ACME client can be installed using shell access to the server.
Installation Process: The basic steps to enable HTTPS on your website:
- Install Let's Encrypt
- Obtain certificates from LetsEncrypt
- Set up automation of certificate renewal
- Configure Apache for HTTPS
- Test your installation
Installing LetsEncrypt: Download a clone of Let's Encrypt from GitHub repo:
Obtain certificate from LetsEncrypt: Change to Letsencrypt directory (/opt/letsencrypt), stop apache to free up port 80 and run Let's Encrypt with each domain name added to the end of the command. After you have obtained your certificate, you will need to restart apache:
/usr/sbin/apachectl -k graceful-stop
sudo -H ./letsencrypt-auto certonly --standalone -d example1.com -d example2.com
/usr/sbin/apachectl start
Set up automation of certificate renewal: Configure Crontab from your user account. Crontab should start a script file once a month to refresh the certificates. The script will shutdown Apache, load new certificates, and then restart Apache.
mkdir scripts
cd scripts
vi renewcert.sh
/usr/sbin/apachectl -k graceful-stop
/opt/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default --max-log-backups 10 -d example1.com -d example2.com
/usr/sbin/apachectl start
~
Configure Apache for HTTPS: Create a VirtualHost section at port 443 in your sites comf file in /etc/apache2/sites-enabled/example1.com.conf:
# Certificates and Keys
SSLEngine On
SSLCompression off
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128
SLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt/live/yourserver.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourserver.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourserver.com/fullchain.pem
# RequestHeader set X-Forwarded-Proto https
# Admin email, Server Name (domain name), and any aliases
ServerAdmin you@yourserver.com
ServerName yourserver.com
ServerAlias www.yourserver.com
# Index file and Document Root (where the public files are located)
DirectoryIndex index.html
DocumentRoot /var/www/yourserver.com/public_html
<Directory />
Order allow,deny
Allow from all
</Directory>
<Location />
Order allow,deny
Allow from all
</Location>
# Log file locations
LogLevel warn
ErrorLog /var/www/yourserver.com/log/sslerror.log
CustomLog /var/www/yourserver.com/log/sslaccess.log combined
</VirtualHost>
Redirect any requests for HTTP service at port 80 to HTTPS by adding the Redirect directive to your sites comf file in /etc/apache2/sites-enabled/example1.com.conf
# Admin email, Server Name (domain name), and any aliases
ServerAdmin you@eyourserver.com
ServerName yourserver.com
ServerAlias www.yourserver.com
# Index file and Document Root (where the public files are located)
DirectoryIndex index.html
DocumentRoot /var/www/yourserver.com/public_html
Redirect / https://yourserver.com
# Log file locations
LogLevel warn
ErrorLog /var/www/yourserver.com/log/error.log
CustomLog /var/www/yourserver.com/log/access.log combined
<//VirtualHost>
Test your installation: To test your installation you should try accessing your web site from a browser as a http site and as https to assure that you are redirecting correctly. You should try at least the following options:
- https://yourURL.com
- http://yourURL.com
- yourURL.com
Most browsers will display a lock icon or some other unique icon just in front of your URL to indicate that it is secure. You should be able to view the certificate information by clicking on the icon. An example of the certificate information from the Safari browser is shown below:
