Tuesday, June 16, 2020

Updating SSL Certificate


Setting up SSL Certificates used to be scary. No more. LetsEncrypt provides FREE SSL certs and an easy way to install and renew them. It's provided by the Internet Security Research Group, a non-profit. They do this for the public benefit, and because it used to be so expensive and so much trouble to setup HTTP over SSL.
Basically they assume that if you have root access to your server, you are authorized to install a SSL cert for the server to use. Here's how I setup SSL on a server that had an old expired certificate:

On the certbot site, https://certbot.eff.org, there is a part of the page that says: "My HTTP website is running X on Y". X and Y are pulldowns.

I selected X=Apache, Y=Ubuntu 16.04. This took me to the installation instructions I show below.

Installing cerbot IF running Ubuntu 16.04

Instructions are given on the certbot site.
sudo apt-get udpate
 apt-get update
 apt-get install software-properties-common
 add-apt-repository universe
 add-apt-repository ppa:certbot/certbot
 apt-get update
 apt-get install certbot python3-certbot-apache

Running certbot on the server:

ssh rad

Then run "certbot --apache" as shown below:

root@RAD:~# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): daspears3000@yahoo.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: xxxxxx.com
2: www.xxxxxx.com
3: ....

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1,2,3,4
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxxx.com
http-01 challenge for xxxxx.com
http-01 challenge for www.xxxxxx.com
http-01 challenge for www.xxxxxx.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-enabled/000-default.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://names of my various sites

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=xxxxx.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.xxxxxx.com
....
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxxxxx.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxxxx.com/privkey.pem
Your cert will expire on 2020-09-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate, Donating to EFF: https://eff.org/donate-le

root@RAD:~#

If running Ubuntu 14.04 you have to do this instead:

- cd /usr/local/sbin
- sudo wget https://dl.eff.org/certbot-auto
- sudo chmod a+x /usr/local/sbin/certbot-auto

certbot-auto --apache -d name-of-site.com
Image by Nathan Anderson, CC-BY-SA 2.0

Post a Comment