Getting started with Let's Encrypt SSL Certificates on Ubuntu

This tutorial will guide you through your very first configuration of an SSL website with Let's Encrypt certification. Let's Encrypt is a new SSL authority that provides free SSL certificates. We are going to use two existing tutorials (“How to setup an intermediate compatible SSL website with Let's Encrypt certificate” and “The Perfect Server - Ubuntu 15.10 (Wily Werewolf) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3”).

The setup described here is compatible with any Ubuntu LAMP server, so you can use this one as the basis setup too.

This tutorial will show you how to setup Let's Encrypt on Servers without ISPConfig 3 as there will be a direct implementation of the Let's Encrypt service in the next ISPConfig 3 release (version 3.1) soon. So if you plan to use ISPConfig, wait for the 3.1 release and also a new tutorial.

Creating the website

The 1st step is to create the website configuration and directory and enable SSL (Apache mod_ssl) for it. It’s up to you if you use the default configuration for one website on a server or you plan to use multiple vhosts to host more than one domain. For more reliable and scalable usage, I’ll create a vhost configuration for my “lab” domain isp1.cloudapp.net from Azure.

All vhosts are stored in the /etc/apache2/sites-available directory by default on Ubuntu and Debian. Run the following command to retrieve a list of existing vhost configuration files.

ls -l /etc/apache2/sites-available/

My output looks like this:

[email protected]:/home/falco# ls -l /etc/apache2/sites-available/

-rw-r--r-- 1 root root 1332 May 20 2015 000-default.conf

-rw-r--r-- 1 root root 6437 May 20 2015 default-ssl.conf

We can now use the "default" configuration file for cloning and edit it or we can use our own configuration. I prefer using my own configuration as I do that for many years, so let’s create a new vhost by creating the file:

vi /etc/apache2/sites-available/isp1.cloudapp.net.conf

In this file paste, the following content:

<VirtualHost *:80>
ServerName isp1.cloudapp.net
ServerAlias www.isp1.cloudapp.net

DocumentRoot /home/web/isp1.cloudapp.net/public_html

ErrorLog /home/web/isp1.cloudapp.net/log/habdak.eu_error_log
CustomLog /home/web/isp1.cloudapp.net/log/habdak.eu_access_log combinedScriptAlias /cgi-bin/ /home/web/isp1.cloudapp.net/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5

<Directory /home/web/isp1.cloudapp.net/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddType application/json .json
</Directory>

<Directory /home/web/isp1.cloudapp.net/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>

RemoveHandler .php
RemoveHandler .php5
php_admin_value engine Off
IPCCommTimeout 301
FcgidMaxRequestLen 1073741824
php_value memory_limit 128M
php_value suhosin.session.encrypt Off

</VirtualHost>

<VirtualHost *:443>

ServerName isp1.cloudapp.net
ServerAlias www.isp1.cloudapp.net
DocumentRoot /home/web/isp1.cloudapp.net/public_html

ErrorLog /home/web/isp1.cloudapp.net/log/habdak.eu_error_log
CustomLog /home/web/isp1.cloudapp.net/log/habdak.eu_access_log combined

ScriptAlias /cgi-bin/ /home/web/isp1.cloudapp.net/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5

<Directory /home/web/isp1.cloudapp.net/public_html >
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddType application/json .json
</Directory>

<Directory /home/web/isp1.cloudapp.net/cgi-bin >
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>

RemoveHandler .php
RemoveHandler .php5
php_admin_value engine Off
IPCCommTimeout 301
FcgidMaxRequestLen 1073741824
php_value memory_limit 128M
php_value suhosin.session.encrypt Off

SSLEngine on
SSLCertificateFile /home/web/isp1.cloudapp.net /ssl.cert
SSLCertificateKeyFile /home/web/isp1.cloudapp.net /ssl.key
SSLCACertificateFile /home/web/isp1.cloudapp.net /ssl.ca
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder On

</VirtualHost>

Replace the domain name with your domain wherever it occurs and save the file. To activate the configuration, run:

a2ensite isp1.cloudapp.net.conf

Now reate the folders for the website:

mkdir /home/web

mkdir /home/web/isp1.cloudapp.net

mkdir /home/web/isp1.cloudapp.net/public_html

mkdir /home/web/isp1.cloudapp.net/cgi-bin

mkdir /home/web/isp1.cloudapp.net/logs

Restart apache to apply the new configuration:

sudo service apache2 restart

Now we have to generate the certificate files.

Install Let's Encrypt and generate your first SSL Certificate

 I prefer to use the root login for administration instead of running sudo before each command, so let’s su to root user:

sudo su

Navigate to your roots home directory:

cd ~root

Install git for fetching the Let's Encrypt git repository files:

apt-get install git

Now clone the Let's Encrypt git repository:

git clone https://github.com/letsencrypt/letsencrypt.git letsencrypt

Navigate to your new letsencrypt folder:

cd letsencrypt

And request your SSL certificate:

./letsencrypt-auto certonly --webroot -w /home/web/isp1.cloudapp.net/public_html -d isp1.cloudapp.net

If you request a certificate for the master domain (1st level domain aka cloudapp.net) use -d parameter twice. With and without www prefix like this:

./letsencrypt-auto certonly --webroot -w /home/web/cloudapp.net/public_html -d cloudapp.net -d www.cloudapp.net

If you won’t do this, the certificate won’t be valid for visitors opening your site with www prefix.

You can also add other subdomains to one certificate. For example, if your subdomain admin.cloudapp.net matches the same site (the same folder on the server), you should add it to this certificate as well. Unfortunately, you can’t use a wildcard like (*.cloudapp.net) with let's encrypt.

Let's Encrypt will automatically update all dependencies and guide you through its setup. All you need to do is wait for the prompt window asking you for your e-mail address. This address is used for recovering lost data only.

Your new keys are now stored in /etc/letsencrypt/ by default. We are going to link them to our website directory so we can manage the keys later.

ln -s /etc/letsencrypt/archive/isp1.cloudapp.net/cert1.pem /home/web/isp1.cloudapp.net/ssl.cert

ln -s /etc/letsencrypt/archive/isp1.cloudapp.net/chain1.pem /home/web/isp1.cloudapp.net/ssl.ca

ln -s /etc/letsencrypt/archive/isp1.cloudapp.net/privkey1.pem /home/web/isp1.cloudapp.net/ssl.key

Now you should be able to access your website with SSL. Let's Encrypt will automatically inform you about expiring certificates in time by sending you an e-mail to the address you have provided within the installation of Let's Encrypt.

Share this page:

5 Comment(s)

Add comment

Comments

From: thctlo

Thanx, i could use this.. but the most exiting thing here for me.

A direct implementation of the Let's Encrypt service in the next ISPConfig 3 release (version 3.1) soon. 

:-)) 

can you tell also if its now possible to use zarafa with ispconfig ?

 

From: george

CustomLog /home/web/isp1.cloudapp.net/log/habdak.eu_access_log combinedScriptAlias /cgi-bin/ /home/web/isp1.cloudapp.net/cgi-bin/ Must be like this : CustomLog /home/web/isp1.cloudapp.net/log/habdak.eu_access_log combined ScriptAlias /cgi-bin/ /home/web/isp1.cloudapp.net/cgi-bin/

From: jo

hi any ideea why when i run thiss comand ./letsencrypt-auto certonly --webroot -w /home/web/isp1.cloudapp.net/public_html -d isp1.cloudapp.net

i keep receiving this error

Installing Python packages...Traceback (most recent call last):  File "/tmp/tmp.0lhtOJRRc3/pipstrap.py", line 146, in <module>    exit(main())  File "/tmp/tmp.0lhtOJRRc3/pipstrap.py", line 133, in main    shell=True)  File "/usr/local/lib/python2.7/subprocess.py", line 573, in check_output    raise CalledProcessError(retcode, cmd, output=output)subprocess.CalledProcessError: Command 'pip install --no-index --no-deps -U /tmp/pipstrap-hIH8as/pip-8.0.3.tar.gz /tmp/pipstrap-hIH8as/setuptools-20.2.2.tar.gz /tmp/pipstrap-hIH8as/wheel-0.29.0.tar.gz' returned non-zero exit status 1

From: Danny

Could you change cloudapp.net to example.com? The thing is that cloudapp.net is the domain used for microsoft azure cloud services and people who google if they can get letsencrypt certificates for their cloudapp.net subdomains land here.

Also example.com (or .org) were registered by the IANA for exactly that purpose :)

 

Thanks

From: Hans Wurst

Why it asks me forUsername for 'https://github.com':

while cloning (one of the first step)?