• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » How to Deploy automatically renewing SSL certificates on Ubuntu and Debian

How to Deploy automatically renewing SSL certificates on Ubuntu and Debian

April 3, 2020 - by Zsolt Agoston - last edited on April 25, 2020

To see how to deploy a WordPress site from scratch please check out this previous article where we went through the process step by step. In this article we set up automatic HTTPS, that means all the HTTP requests are redirected also to make sure all traffic is encrypted between the connecting clients and our server - that is extremely important if we have a webshop ,where we handle credit card- and other sensitive information.

We start were we left off. Our new WP site is up and running, publicly accessible and using unencrypted, plain HTTP as seen below.

How to Deploy automatically renewing SSL certificates on Ubuntu and Debian

Let’s Encrypt provides free SSL certificates that are valid for 3 month and their agent automatically renews them 30 days before expiry to ensure service continuity. We proceed to install the certbot agent on the server, then request the certificate for our domain. The agent will configure the involved virtual hosts for us, we just check them after creation to make sure they function as intended.

# Install certbot on our ubuntu box
apt-get install -y certbot python-certbot-apache
 
# Request the SSL cert for protectigate.com with the www.protectigate.com alias
certbot --apache -d protectigate.com -d www.protectigate.com

Going through the setup process as an example:

root@web:~# certbot --apache -d protectigate.com -d www.protectigate.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): info@opentechtips.com
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for protectigate.com
http-01 challenge for www.protectigate.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/protectigate-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/protectigate-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/protectigate-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/protectigate-le-ssl.conf
 
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/protectigate.conf to ssl vhost in /etc/apache2/sites-available/protectigate-le-ssl.conf
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://protectigate.com and
https://www.protectigate.com
 
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=protectigate.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.protectigate.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/protectigate.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/protectigate.com/privkey.pem
   Your cert will expire on 2020-07-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

As the setup summary says we have the current certificates (technically symlinks to them) in /etc/letsencrypt/live/protectigate.com. Now have a look on the changes the agent has made to our virtual host. In /etc/apache2/sites-available we had only protectigate.conf before, now we have a protectigate-le-ssl.conf automatically generated by certbot.

drwxr-xr-x 8 root root 4096 Apr 2 12:26 ..
-rw-r–r– 1 root root 1332 Jul 16 2019 000-default.conf
-rw-r–r– 1 root root 6338 Jul 16 2019 default-ssl.conf
-rw-r–r– 1 root root 321 Apr 2 12:26 protectigate.conf
-rw-r–r– 1 root root 362 Apr 2 12:26 protectigate-le-ssl.conf

Opening the  protectigate.conf we see that forwarding HTTP to HTTPS is set now.

root@web:/etc/apache2/sites-available# cat protectigate.conf
<VirtualHost *:80>
            DocumentRoot /var/www/protectigate
            ServerName protectigate.com
            ServerAlias www.protectigate.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =protectigate.com [OR]
RewriteCond %{SERVER_NAME} =www.protectigate.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

The new protectigate-le-ssl.conf file contain the inclusions and certificate details which is needed for the secure data transfer

<IfModule mod_ssl.c>
<VirtualHost *:443>
        DocumentRoot /var/www/protectigate
        ServerName protectigate.com
        ServerAlias www.protectigate.com
 
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/protectigate.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/protectigate.com/privkey.pem
</VirtualHost>
</IfModule>

Furthermore, the agent created a cron job, that checks every 12 hours if the certificates are going to expire and if so, renews them automatically so we won’t need to worry about it. If the cert is not renewed on time (which is 30 days before the end of validity), 20 days before expiry an email will be sent out to us from the central Let’s Encrypt center to notify us and give us time to rectify issues.

root@web:/etc/cron.d# cat certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

The site defaults to HTTPS as we see now 🙂

How to Deploy automatically renewing SSL certificates on Ubuntu and Debian

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}