How to Deploy automatically renewing SSL certificates on Ubuntu and Debian

To see how to deploy a WordPress site from scratch please check out this previous article where we went through the process step by step. In this article we set up automatic HTTPS, that means all the HTTP requests are redirected also to make sure all traffic is encrypted between the connecting clients and our server - that is extremely important if we have a webshop ,where we handle credit card- and other sensitive information.

We start were we left off. Our new WP site is up and running, publicly accessible and using unencrypted, plain HTTP as seen below.

How to Deploy automatically renewing SSL certificates on Ubuntu and Debian

Let’s Encrypt provides free SSL certificates that are valid for 3 month and their agent automatically renews them 30 days before expiry to ensure service continuity. We proceed to install the certbot agent on the server, then request the certificate for our domain. The agent will configure the involved virtual hosts for us, we just check them after creation to make sure they function as intended.

# Install certbot on our ubuntu box

apt-get install -y certbot python-certbot-apache

# Request the SSL cert for protectigate.com with the www.protectigate.com alias

certbot --apache -d protectigate.com -d www.protectigate.com

Going through the setup process as an example:

root@web:~# certbot --apache -d protectigate.com -d www.protectigate.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): info@opentechtips.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: N

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for protectigate.com

http-01 challenge for www.protectigate.com

Enabled Apache rewrite module

Waiting for verification...

Cleaning up challenges

Created an SSL vhost at /etc/apache2/sites-available/protectigate-le-ssl.conf

Enabled Apache socache_shmcb module

Enabled Apache ssl module

Deploying Certificate to VirtualHost /etc/apache2/sites-available/protectigate-le-ssl.conf

Enabling available site: /etc/apache2/sites-available/protectigate-le-ssl.conf

Deploying Certificate to VirtualHost /etc/apache2/sites-available/protectigate-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: No redirect - Make no further changes to the webserver configuration.

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Enabled Apache rewrite module

Redirecting vhost in /etc/apache2/sites-enabled/protectigate.conf to ssl vhost in /etc/apache2/sites-available/protectigate-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled https://protectigate.com and

https://www.protectigate.com

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=protectigate.com

https://www.ssllabs.com/ssltest/analyze.html?d=www.protectigate.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/protectigate.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/protectigate.com/privkey.pem

Your cert will expire on 2020-07-01. To obtain a new or tweaked

version of this certificate in the future, simply run certbot again

with the "certonly" option. To non-interactively renew *all* of

your certificates, run "certbot renew"

- Your account credentials have been saved in your Certbot

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will

also contain certificates and private keys obtained by Certbot so

making regular backups of this folder is ideal.

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

As the setup summary says we have the current certificates (technically symlinks to them) in /etc/letsencrypt/live/protectigate.com. Now have a look on the changes the agent has made to our virtual host. In /etc/apache2/sites-available we had only protectigate.conf before, now we have a protectigate-le-ssl.conf automatically generated by certbot.

drwxr-xr-x 8 root root 4096 Apr 2 12:26 ..
-rw-r–r– 1 root root 1332 Jul 16 2019 000-default.conf
-rw-r–r– 1 root root 6338 Jul 16 2019 default-ssl.conf
-rw-r–r– 1 root root 321 Apr 2 12:26 protectigate.conf
-rw-r–r– 1 root root 362 Apr 2 12:26 protectigate-le-ssl.conf

Opening the protectigate.conf we see that forwarding HTTP to HTTPS is set now.

root@web:/etc/apache2/sites-available# cat protectigate.conf

DocumentRoot /var/www/protectigate

ServerName protectigate.com

ServerAlias www.protectigate.com

RewriteEngine on

RewriteCond %{SERVER_NAME} =protectigate.com [OR]

RewriteCond %{SERVER_NAME} =www.protectigate.com

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

The new protectigate-le-ssl.conf file contain the inclusions and certificate details which is needed for the secure data transfer

DocumentRoot /var/www/protectigate

ServerName protectigate.com

ServerAlias www.protectigate.com

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/protectigate.com/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/protectigate.com/privkey.pem

</VirtualHost>

</IfModule>

Furthermore, the agent created a cron job, that checks every 12 hours if the certificates are going to expire and if so, renews them automatically so we won’t need to worry about it. If the cert is not renewed on time (which is 30 days before the end of validity), 20 days before expiry an email will be sent out to us from the central Let’s Encrypt center to notify us and give us time to rectify issues.

root@web:/etc/cron.d# cat certbot

# /etc/cron.d/certbot: crontab entries for the certbot package

# Upstream recommends attempting renewal twice a day

# Eventually, this will be an opportunity to validate certificates

# haven't been revoked, etc. Renewal will only occur if expiration

# is within 30 days.

SHELL=/bin/sh

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

The site defaults to HTTPS as we see now 🙂

Reader Interactions

Comments Cancel reply