Deploy Let's Encrypt SSL certificates
With the non-profit certificate authority Let's Encrypt, it is possible to get free https certificates.
Certificates expire in 3 months, but the renewal is automatic.
Browsers accept these certificates without need to install CA certificates.
Basic software installation and generic configuration:
Trust is based on verification. If you have control of a web server with Let's Encrypt that must have access to web service in dedicated URL with a key randomly generated by a client.
To enable MasonSQL installation you must add some directives in application's config file to enable the URL like
http://myapp.server.domain/.well-known/acme-challenge/[very_log_key]
Enable
rewrite
module:
a2enmod rewrite
This configuration example (Apache 2.4) redirects all HTTP traffic to HTTPS, except /.well-known/acme-challenge dir:
<VirtualHost *:80>
ServerName myapp.server.domain
ServerAdmin support@server.domain
DocumentRoot /opt/masonsql/htdocs/
RewriteEngine on
RewriteCond %{REQUEST_URI} !/.well-known/acme-challenge/
RewriteRule ^(.*)$ https://myapp.server.domain/ [L,R=301]
<Directory />
Order allow,deny
Deny from all
</Directory>
<Location /.well-known/acme-challenge>
Satisfy Any
Require all granted
SetHandler default-handler
</Location>
</VirtualHost>
Then Let's Encrypt server can read the key to trust the server!
Installing Let's Encrypt Client Software:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot
Creating SSL certificate:
Case with
DocumentRoot = /opt/masonsql/htdocs :
sudo mkdir -p /opt/masonsql/htdocs/.well-known/acme-challenge
sudo chmod -R 750 /opt/masonsql/htdocs/.well-known
sudo chown -R root.www-data /opt/masonsql/htdocs/.well-known
sudo certbot certonly --webroot -w /opt/masonsql/htdocs/ -d myapp.server.domain
If you use default site probably the document root is:
DocumentRoot = /var/www
Then you must change path of the key and the certificates in your apache config file (eg.
/opt/myapp/etc/apache2.myapp.server.domain.conf ):
# On Apache 2.2
SSLCertificateFile /etc/letsencrypt/live/myapp.server.domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/myapp.server.domain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/myapp.server.domain/chain.pem
# On apache 2.4
SSLCertificateFile /etc/letsencrypt/live/myapp.server.domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/myapp.server.domain/privkey.pem
In order to update certificate you must add to the /etc/crontab file:
# --- Renew Let's Encrypt SSL certificates ---
# renew every 2 month in 8th day at 03:45
45 03 8 */2 * root certbot renew; /etc/init.d/apache2 reload