HTTPS SSL LetsEncrypt with Apache and ACME.sh

Figured I would do this guide for getting a free SSL certificate using the popular https://letsencrypt.org organization. Having set it up for this website using this particular way.

Part of this guide is from https://github.com/Neilpang/acme.sh which is the script I’ll be using to automate the SSL certificate registration with letsencrypt servers.

However at the time of writing it’s written for Nginx, so Apache users need to go find additional information. Here I just provide some of that,  also server is running Linux Ubuntu, so some of the later commands may differ.

Lets start….

apt-get install openssl

mkdir /etc/apache2/ssl/
cd /etc/apache2/ssl/

wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh

Add as many sub domains you want with -d <sub-domain>.<domain>

./acme.sh –issue -d <domain> -d www.<domain> -w /var/<example path to www files>/public_html

Make sure SSL is enabled for Apache using the quick command

a2enmod ssl

or if CentOS… 

yum install mod_ssl

Now find where your vhost file is stored, I personally use Sentora which stores the apache virtual hosts config at /etc/sentora/configs/apache/httpd-vhosts.conf

For default the Apache install it will located at /etc/apache2/sites-available/

Find the .conf that has your website settings…

Look for this line “Listen 80” and make sure “Listen 433” is also written in your Apache conf somewhere at least at usually top of the file.. Now that you are going to be using SSL which by default is port 443. It saves a lot of future troubleshooting trying to figure out why HTTPS isn’t work even when you’ve completed the Certificate registration and setup. Where debugging with OpenSSL like with “openssl s_client -connect localhost:443 -state -debug” will just return connection refused.

My example conf for this domain, notice even though this isn’t in the specific SSL conf that Apache provides, I still wrap the virtualhost info taken from the *:80 entries.. and put inside the <IfModule mod_ssl.c> tags. This way if the SSL module isn’t loaded with Apache you won’t get errors with the SSLEngine etc for this config. I prefer all the entries in one location for websites, also using Sentora makes this setup a little different from normal Apache conf setups, still relatively the same…

<IfModule mod_ssl.c>
<virtualhost *:443>
ServerName <domain>
ServerAlias www.<domain>
ServerAdmin admin@<domain>

SSLEngine On
SSLCertificateFile “/etc/apache2/ssl/<domain>.cert.pem”
SSLCertificateKeyFile “/etc/apache2/ssl/<domain>.key.pem”
# CA certificate from https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
SSLCertificateChainFile “/etc/apache2/ssl/<domain>.fullchain.pem”

# SSL config according to https://bettercrypto.org/static/applied-crypto-hardening.pdf
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression Off
#Header always add Strict-Transport-Security “max-age=15768000”
#SSLCipherSuite ‘EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA’
BrowserMatch “MSIE [2-6]” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown

DocumentRoot “/var/sentora/hostdata/<user>/public_html/”
php_admin_value open_basedir “/var/sentora/hostdata/<user>/public_html/:/var/sentora/temp/”
php_admin_value suhosin.executor.func.blacklist “passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec”
ErrorLog “/var/sentora/logs/domains/<user>/<domain>-error_s.log”
CustomLog “/var/sentora/logs/domains/<user>/<domain>-access_s.log” combined
CustomLog “/var/sentora/logs/domains/<user>/<domain>-bandwidth_s.log” common
<Directory “/var/sentora/hostdata/<user>/public_html/”>
Options +FollowSymLinks -Indexes
AllowOverride All
Require all granted
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 510 /_errorpages/510.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)
</virtualhost>

 

After setting up the Apache conf file just run this command…

acme.sh –install-cert -d <domain> \
–cert-file /etc/apache2/ssl/<domain>.cert.pem \
–key-file /etc/apache2/ssl/<domain>.key.pem \
–fullchain-file /etc/apache2/ssl/<domain>.fullchain.pem \
–reloadcmd “service apache2 force-reload”

Apache should automatically reloaded along with the above conf addition, if you need to make further changes use the command below to restart apache..

service apache restart

That should be it, the https:// version of your site and and subdomains if configured properly should get a shiny padlock in the web browser url bar.

Every 3months the ssl certificate from letsencrypt.org will expire so be sure to run the below command beforehand. You could set it up in a cron job for the automatic renewal, however I do not recommend that. As the renewal process can sometimes fail, so it’s best to do it manually where you can check the errors and fix then, instead of finding out it failed when one of you sites have no valid https cert working.

acme.sh –renew -d <domain>

For the mainstream user seeing a https version of the website ‘feels’ safe, while ssl security certificates can vary in price and encryption strength, for an ecommerce website that might actually matter. For the everyday website the free services of letsencrypt.org do at-least help raise the security standards and probably are resulting in lower prices for getting an ssl certificate elsewhere, personally they are worthless when you have no reason to trust the organizations behind them.  I think of it as pseudo security, the current internet is inherently unsafe at the top tier level where the level of organization, sophistication and backdoor tooling can make all this ssl stuff seem pointless for privacy or security.

Still a http only site leaves things alot more open on the security/privacy front.  And not actually having a secured https version of your website at all for todays more internet savvy and semi security/privacy conscious users maybe seen as lazy for not attempting to improve it.

Anyway a useful site outside of the Firefox/Chrome in browser developer tools,  to check the site for any links that aren’t secure is https://www.whynopadlock.com/

Leave a Reply

Your email address will not be published. Required fields are marked *