Home Blog CV Projects Patterns Notes Book Colophon Search

HTTPS with Lets Encrypt

24 Jun, 2020

Lets Encrypt is a service that issues certificates that a webserver like Apache can use to secure connections using HTTPS.

It works by puting a special string at a location on your website and then visiting that website to check the string is correct. The idea is that if you weren't the owner of the website you wouldn't be able to put the string at the correct place.

Once the certificates are issued they need to be installed into the server and renewed before they expire.

Although it all sounds simple, in practice there are quite a few things that can go wrong so I'd prefer leaving it to a specialist tool like mod_md. I showed how to install mod_md on Debian stable here.

You can now create a site configuration for mod_md at a bash terminal like this. Just set the variable DOMAIN to reflect your domain name.

export DOMAIN=my.example.com
cat << EOF | sudo tee /etc/apache2/conf-available/demo.conf
ServerName $DOMAIN
ServerAdmin postmaster@$DOMAIN

MDCertificateAgreement accepted
MDomain $DOMAIN
MDRequireHttps temporary

<VirtualHost *:443>
    ServerName $DOMAIN
    DocumentRoot /var/www/html

    SSLEngine on
    # no certificates specification

    <Location "/md-status">
      SetHandler md-status
    </Location>
</VirtualHost>

<VirtualHost *:80>
    ServerName $DOMAIN
</VirtualHost>
EOF

Make sure you have accepted the Lets Encrypt terms and set MDCertificateAgreement accepted to demonstrate so, and update ServerAdmin to the real email address of your Let's Encrypt user.

MDCertificateAgreement accepted
ServerAdmin postmaster@my.example.com
# Or you can use:
# MDContactEmail postmaster@my.example.com

As long as the domain you've specified really resolves to the server that Apache is running on (i.e. the server is live on the internet where you want it to be) then mod_md will go and create a certificate, install it and redirect all HTTP traffic to HTTPS. All the config files and certificates that it creates are stored in /etc/apache2/md in case you need to add them to your backups.

The special /md-status location is where you can get a JSON feed of all the certificates, and when they expire. Handy as a quick check or for building an automated monitoring tool.

This configuration should also automatically renew the certificates.

Enable the configuration like this:

sudo a2enconf demo
sudo a2enmod md ssl
sudo a2dissite 000-default
sudo systemctl restart apache2

You can look at the logs to see the certificate process:

tail -f /var/log/apache2/error.log

If you forget to enable the ssl module you see Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration in the logs.

If you forget to disable the default site you will see Error creating new account :: contact email "webmaster@localhost" has invalid domain : Domain name needs at least one dot because the certificate will try to be created using the email in the 000-default site configuration.

Once everything is successful you'll see: The Managed Domain <your domain> been setup and changes will be activated on next (graceful) server restart.

If you access your domain now, the http version will successfully redirect to https but the connection will time out.

sudo apachectl -k graceful

As long as you have set up a route to your domain, e.g. with:

cat << EOF | sudo tee -a /etc/hosts
127.0.0.1 $DOMAIN
EOF

You can now you can test access with:

curl -v https://$DOMAIN

Comments

Be the first to comment.

Add Comment





Copyright James Gardner 1996-2020 All Rights Reserved. Admin.