This is an old revision of the document!
https://letsencrypt.org/ offers free signed 90 day SSL certificates which are trusted by the browser, just like a pay-for certificate signed by other CA's.
Because the certificate is valid only for 90 days, it is important to use the scripted automation to authorize and renew the certificate.
1. If the letsencrypt command is not available in your package manager, use the letsencrypt-auto command by installing it locally.
The directory '/home/ian/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
# cd /usr/local # git clone https://github.com/letsencrypt/letsencrypt # cd letsencrypt # ./letsencrypt-auto --help
2. Install anacron for your distro so that we can schedule the renewal process monthly, but we use anacron so that the process doesn't run at the same time as everyone else.
# aptitude install anacron
3. Add a monthly script to perform the renewals
# echo -e '#!/bin/bash\n\n' >> /etc/cron.monthly/letsencrypt-renew # chmod u+x /etc/cron.monthly/letsencrypt-renew
4. Run a manual certificate authorization/installation. letsencrypt is able to modify the apache config, but my configuration was too complicated - so I later modify the apache config manually.
# /usr/local/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path /home/ian/public_html/braindump/dokuwiki/ -d braindump.ca -d www.braindump.ca -d braindump.mrzesty.net
# openssl x509 -text -in /etc/letsencrypt/live/braindump.ca/cert.pem | grep -A1 Alternative X509v3 Subject Alternative Name: DNS:www.braindump.ca, DNS:braindump.mrzesty.net, DNS:braindump.ca
5. Add your last letsencrypt certonly command to the cron.monthly shell script
echo "!?certonly?" >> /etc/cron.monthly/letsencrypt-renew
66.133.109.36 - - [20/Dec/2015:12:27:57 -0500] "GET /.well-known/acme-challenge/j8DDJgtt26GzSSOZ5DuQGQtVuKj9ZyqJohVbP-YS1cc HTTP/1.1" 200 298 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
6. Manually configure apache to redirect non-SSL requests to the new VirtualHost where SSL is enabled.
<VirtualHost *:80> ServerName braindump.ca ServerAlias www.braindump.ca braindump.mrzesty.net RewriteEngine On RewriteRule /(.*) https://%{HTTP_HOST}/$1 [R] </VirtualHost> <VirtualHost *:443> ... SSLEngine On SSLCertificateFile /etc/letsencrypt/live/braindump.ca/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/braindump.ca/chain.pem SSLCertificateKeyFile /etc/letsencrypt/live/braindump.ca/privkey.pem </VirtualHost>
7. You can repeat steps 4-6 for any additional SSL certificates for other public sites on the server.
/etc/cron.monthly/letsencrypt-renew:
#!/bin/bash /usr/local/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path /home/ian/public_html/braindump/dokuwiki/ -d braindump.ca -d www.braindump.ca -d braindump.mrzesty.net /usr/local/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot --webroot-path /home/ian/public_html/MrZesty -d mrzesty.net -d www.mrzesty.net