06.02.2021
Validate & Test #
with lsb_release -a > Debian GNU/Linux 9.12 (stretch) / Debian GNU/Linux 10 (buster)Test SSL: https://www.whynopadlock.com | https://crt.sh/?q=www.inetone.de
Disable TLS 1#
Edit config files twice and modify "SSLProtocol" parameter /etc/apache2/mods-enabled/ssl.conf and /etc/letsencrypt/options-ssl-apache.confSSLProtocol TLSv1.2
Let's Encrypt certificates#
see https://www.heise.de/select/ct/2018/04/1518744647738615c't 4/2018, S. 80
Alternatives: Comodo oder DigiCert, apt-get install letsencrypt ? Since Apache version 2.4.3 there is mod_md to automate certification renewal based on ACME 2.0.
mod_md - certificate automation | https://httpd.apache.org/docs/2.4/mod/mod_md.htmlsee https://www.sudoers.net/2018/03/27/verschluesselung-mit-lets-encyrpt-und-apaches-mod_md/
but here we use a manual retrieval/generation. In any case you need the SSL/TSL mod_ssl.
Enable with
a2enmod ssl
Certbot ACME client#
Follow https://letsencrypt.org/getting-started/With SSH access you should install the Certbot ACME client, for me it is Debian 9.6 stretch.
https://certbot.eff.org/lets-encrypt/debianstretch-apache.
(29.12.2018) Install#
Do NOT use the default package:sudo apt-get install python-certbot-apacheThis will install 'certbot --version' = 0.10.2 only, which is not sufficient and you get error
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.see https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983
As decribed in getting started you need to add the source for the backport packages, which are kind of beta releases, but necessary here. To add sources from "stretch-backport"
vi /etc/apt/sources.list.d/nodesource.list add line "deb http://ftp.debian.org/debian stretch-backports main" apt-get update sudo apt-get install python-certbot-apache -t stretch-backportsThen you will have version 0.28.0 or above.
(06.02.2021) Install#
apt-get update apt-get install python-certbot-apacheThis will install "python-certbot-apache (0.31.0-1)"
Certbot log and config
/var/log/letsencrypt/letsencrypt.log /etc/letsencrypt/cli.ini /etc/letsencrypt/renewal
Certificate folder#
/etc/letsencrypt/live/
README:
This directory contains your keys and certificates. `[cert name]/privkey.pem` : the private key for your certificate. `[cert name]/fullchain.pem`: the certificate file used in most server software. `[cert name]/chain.pem` : used for OCSP stapling in Nginx >=1.3.7. `[cert name]/cert.pem` : will break many server configurations, and should not be used without reading further documentation (see link below). WARNING: DO NOT MOVE OR RENAME THESE FILES! Certbot expects these files to remain in this location in order to function properly! We recommend not moving these files. For more information, see the CertbotUser Guide
Note: You need a vitrual host configured for apache, otherwise you get error
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
Create certificates#
sudo certbot --apache www.ebel-computing.de msebel@arcor.de Agreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf Obtaining a new certificate Performing the following challenges: http-01 challenge for www.ebel-computing.de Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://www.ebel-computing.de You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=www.ebel-computing.de - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.ebel-computing.de/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.ebel-computing.de/privkey.pem Your cert will expire on 2019-03-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Finally you have three config files under /etc/apache2/sites-available
000-default.conf 000-default-le-ssl.conf default-ssl.confThe "000-default.conf" is used for port 80 and 000-default-le-ssl.conf for port 443.
"default-ssl.conf" includes the general SSL configuration.
See also Apache HTTP
Note: check also file "ports.conf" to listen to the right ports like
Listen 80 Listen 443
Check Expiry:#
openssl x509 -dates -noout -in /etc/letsencrypt/live/www.ebel-computing.de/cert.pem echo | openssl s_client -connect localhost:443 -servername atakama-studio.ca => 27.03.2018
Certificate Renewal#
sudo certbot renew --dry-run sudo certbot renew sudo certbot renew --force-renewal
Configure Apache #
vi /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> ServerName www.ebel-computing.de JkMount /Homepage* ajp13_worker ErrorLog ${APACHE_LOG_DIR}/Homepage.log </VirtualHost>
On Angular htaccess rewrite rule, allow for SSL in conf
<Directory /var/www/html/Ebel004> AllowOverride All </Directory>
Add certificates#
If you changed you virtual hosts you can run certbot any time like this:> certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: www.andreas-ebel.de 2: www.ebel-computing.de 3: www.ferienwohnung-ebel.de 4: feueronadmin.de 5: www.feueronadmin.de 6: inetone.de 7: www.inetone.de - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 7 Obtaining a new certificate Performing the following challenges: http-01 challenge for www.inetone.de Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Failed redirect for www.inetone.de Unable to set enhancement redirect for www.inetone.de Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection IMPORTANT NOTES: - We were unable to set up enhancement redirect for your server, however, we successfully installed your certificate. - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.inetone.de/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.inetone.de/privkey.pem Your cert will expire on 2021-05-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
Delete/Revoke certificate#
Expired certificates cannot be revoked, just deleted:
certbot delete --cert-path /etc/letsencrypt/archive/${YOUR_DOMAIN}/cert1.pem ... choose certificate ...
certbot revoke --cert-path /etc/letsencrypt/archive/${YOUR_DOMAIN}/cert1.pem ... choose certificate ...
Check
certbot certificates