You are here: Leader.IT>MasonSQL Web>LetsencryptSSL (08 Sep 2023, GuidoBrugnara)Edit Attach

Deploy Let's Encrypt SSL certificates

With the non-profit certificate authority Let's Encrypt, it is possible to get free https certificates.
Certificates expire in 3 months, but the renewal is automatic.
Browsers accept these certificates without need to install CA certificates.

Basic software installation and generic configuration:

Trust is based on verification. If you have control of a web server with Let's Encrypt that must have access to web service in dedicated URL with a key randomly generated by a client.
To enable MasonSQL installation you must add some directives in application's config file to enable the URL like http://myapp.server.domain/.well-known/acme-challenge/[very_log_key]

Enable rewrite module: 
a2enmod rewrite

This configuration example (Apache 2.4) redirects all HTTP traffic to HTTPS, except /.well-known/acme-challenge dir: 
<VirtualHost *:80>
    ServerName myapp.server.domain
    ServerAdmin support@server.domain
    DocumentRoot /opt/masonsql/htdocs/
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !/.well-known/acme-challenge/
    RewriteRule ^(.*)$ https://myapp.server.domain/ [L,R=301]
    <Directory />
        Order allow,deny
        Deny from all   
    </Directory>
    <Location /.well-known/acme-challenge>
        Satisfy Any
        Require all granted
        SetHandler default-handler
    </Location>
</VirtualHost>

Then Let's Encrypt server can read the key to trust the server!

Installing Let's Encrypt Client Software: 
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot

Creating SSL certificate:

Case with DocumentRoot = /opt/masonsql/htdocs : 
sudo mkdir -p  /opt/masonsql/htdocs/.well-known/acme-challenge
sudo chmod -R 750  /opt/masonsql/htdocs/.well-known
sudo chown -R root.www-data /opt/masonsql/htdocs/.well-known
sudo certbot certonly --webroot -w /opt/masonsql/htdocs/ -d myapp.server.domain

If you use default site probably the document root is: DocumentRoot = /var/www

Then you must change path of the key and the certificates in your apache config file (eg. /opt/myapp/etc/apache2.myapp.server.domain.conf ): 
# On Apache 2.2
SSLCertificateFile /etc/letsencrypt/live/myapp.server.domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/myapp.server.domain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/myapp.server.domain/chain.pem
# On apache 2.4
SSLCertificateFile /etc/letsencrypt/live/myapp.server.domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/myapp.server.domain/privkey.pem

In order to update certificate you must add to the /etc/crontab file: 
# --- Renew Let's Encrypt SSL certificates ---
# renew every 2 month in 8th day at 03:45 
45 03 8 */2 * root certbot renew; /etc/init.d/apache2 reload
Edit  | Attach | Print version | History: r15 < r14 < r13 < r12 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r15 - 08 Sep 2023, GuidoBrugnara
This site is powered by FoswikiCopyright (©) Leader.IT - Italy P.I. IT01434390223 Privacy policy & use of cookies