General IT security topics
https with free Let’s Encrypt certificate
This how to was created, before wildcard certificates were possible.
Steps:
- Install lets encrypt
- Get a certificate
- Add the certificate path to apache config
Get a certificate with certbot
Let's encrypt recommends cretbot to create and renew a certificate. For openSUSE we can follow the steps from https://certbot.eff.org/#pip-other, below the steps summarized:
wget https://dl.eff.org/certbot-auto
chmod a+x /opt/certbot-auto
/opt/certbot-auto certonly -d <SUBDOMAIN>.example.com --webroot -w /opt/tomcat/webapps/ROOT/
You could add multiple domain names with -d
After that, the certificates are stored at /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/<SUBDOMAIN>.example.com/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/<SUBDOMAIN>.example.com/fullchain.pem
Automatically renew the certificate
It is recommended to run the renew script daily (see https://serverfault.com/... ). The certificate actually is renewed, if the expire date is < than 30 days. A let's encrypt certificate by default is valid 90 days.
Add a cronjob with crontab -e and add following line:
45 00 * * * /opt/certbot-auto renew --no-self-upgrade --post-hook "systemctl reload apache2"
This will run certbot-auto daily and with "post-hook" apache2 is reloaded, if the certificate is renewed.
Create certs for Apache reverse proxy
Certbot has a plugin, to automatically create a certificate for all subdomains. To create the certificat run:
/opt/certbot-auto --apache
The script will ask you, to select the domains, choose all then a certificate is generated and a https config for every subdomain.
If you add a new subdomain you then the certificate could be renewed with the new subdomain included with this command:
/opt/certbot-auto certonly --apache --expand
systemctl restart apache2.service
Windows server with Apache
Install according to https://github.com/Lone-Coder/letsencrypt-win-simple.
Steps are first downloading and extracting, then run letsencrypt.exe from command line:
letsencrypt.exe --plugin manual --manualhost indowsserver.example.com --webroot C:\apache2\htdocs
Certificates are stored at:
- Key: "C:/programdata/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/windowsserver.example.com-key.pem"
- Cert: "C:/programdata/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/windowsserver.example.com-chain.pem"
This both certificate have to be configured in "C:\Apache24\conf\example.conf"
Task Scheduler has a renewing job which runs daily