Tag Archives: certificates

Let’s Encrypt with Apache on Ubuntu

Clone the Let’s Encrypt repository
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Access the letsencrypt directory
cd /opt/letsencrypt

Auto install all dependencies

sudo -i
./letsencrypt-auto

Generate certificates for your domains

Execute the interactive installation and obtain a certificate for each domain.

./letsencrypt-auto certonly --webroot -w /var/www/faix/wordpress/ -d faix.cz -d www.faix.cz
./letsencrypt-auto certonly --webroot -w /var/www/zviretnik/wordpress/ -d zviretnik.eu -d www.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/owncloud/ -d owncloud.zviretnik.eu -d cloud.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/faix/wordpress/ -d faix.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/sikora/Gallery/ -d sikora.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/silhavy/gallery/ -d silhavy.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/martinek/ -d martinek.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/smrtak/gallery/ -d smrtak.zviretnik.eu

First time you will be asked to provide an email address for lost key recovery and notices:
ue]tod[kinterivznull]ta[retsamtsop

You can find the generated certificate files at:
/etc/letsencrypt/live/SITE.NAME/fullchain.pem

Certificate Auto Renewal

Edit the crontab to create a new job that will run this command every week.

crontab -e

00 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

Apache SSL configuration

/etc/apache2/sites-available/00zviretnik-ssl

SSLCertificateFile /etc/letsencrypt/live/zviretnik.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zviretnik.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/zviretnik.eu/chain.pem

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES:AES256-SHA:AES128-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH:!EXP:!SRP:!DSS:!LOW;
SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1
SSLCompression off

Update Let’s Encrypt Client

cd /opt/letsencrypt
sudo git pull

Generate certificate StartSSL for virtual hosts in Apache

Generate certificate StartSSL for virtual hosts in Apache

openssl req -new -newkey rsa:2048 -nodes -out /etc/ssl/user.zviretnik.csr -keyout /etc/ssl/private/user.zviretnik.key -subj "/C=CZ/ST=cs/L=Praha/O=/CN=user.zviretnik.eu"
chmod 640 /etc/ssl/private/user.zviretnik.key

https://www.startssl.com/

copy StartSSL certificate to:
touch /etc/ssl/user.zviretnik.cer

Show content of CSR:
openssl req -in user.zviretnik.csr -noout -text