LetsEncrypt for the lazy and/or extremelly in a hurry

Quick note so I don't forget whenever I need to do this again :-) . Let's Encrypt is an incredible initiative to enhance the security of web users by issuing free TLS certificates to website owners.

Generating a certificate is as simple as using Certbot:

certbot certonly -w /var/www/html/frangarcia.me  \
  -d frangarcia.me -w /var/www/html/frangarcia.me  \
  -d www.frangarcia.me -w /var/www/html/frangarcia.me

That will generate your required certificate files in /etc/letsencrypt/live/frangarcia.me .

If you are using Apache, the virtual host configuration can be as simple as the one shown below. If you every worried about SNI or having multiple TLS certificates in the same IP/port combination, Apache 2.4 automatically handles that for you - provided you are using an SNI-compatible client.

<Virtualhost *:80>
    ServerName frangarcia.me
    ServerAlias www.frangarcia.me
    DocumentRoot /var/www/html/frangarcia.me
</Virtualhost>

<Virtualhost *:443>
    ServerName   frangarcia.me
    ServerAlias  www.frangarcia.me
    DocumentRoot /var/www/html/frangarcia.me

    ErrorLog    logs/frangarcia.me_error_log
    TransferLog logs/frangarcia.me_ssl_access_log
    CustomLog   logs/frangarcia.me_ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLCertificateFile /etc/letsencrypt/live/frangarcia.me/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/frangarcia.me/privkey.pem
    BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</Virtualhost>

It's one of those things I wish I'd done a long time ago ;-) . By the way, do not forget to run your domain via the great SSLLabs utility to check your SSL config, you'll find minor issues for sure.

Happy hacking!

Comments

Comments powered by Disqus