Skip to content

Posts categoriezed as IT-Security General

General IT security topics

https with free Let’s Encrypt certificate

https with free Let’s Encrypt certificate published on

This how to was created, before wildcard certificates were possible.

Steps:

  1. Install lets encrypt
  2. Get a certificate
  3. Add the certificate path to apache config

Get a certificate with certbot

Let's encrypt recommends cretbot to create and renew a certificate. For openSUSE we can follow the steps from https://certbot.eff.org/#pip-other, below the steps summarized:

wget https://dl.eff.org/certbot-auto
chmod a+x /opt/certbot-auto
/opt/certbot-auto certonly -d <SUBDOMAIN>.example.com --webroot -w /opt/tomcat/webapps/ROOT/

You could add multiple domain names with -d .example.com if needed.

After that, the certificates are stored at /etc/letsencrypt/live/.example.com . Now change in the SSL configuration of /etc/apache2/conf.d/example.com this two lines and reload apache2:

SSLCertificateKeyFile /etc/letsencrypt/live/<SUBDOMAIN>.example.com/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/<SUBDOMAIN>.example.com/fullchain.pem

Automatically renew the certificate

It is recommended to run the renew script daily (see https://serverfault.com/... ). The certificate actually is renewed, if the expire date is < than 30 days. A let's encrypt certificate by default is valid 90 days.

Add a cronjob with crontab -e and add following line:

45 00 * * * /opt/certbot-auto renew --no-self-upgrade --post-hook "systemctl reload apache2"

This will run certbot-auto daily and with "post-hook" apache2 is reloaded, if the certificate is renewed.
Create certs for Apache reverse proxy

Certbot has a plugin, to automatically create a certificate for all subdomains. To create the certificat run:

/opt/certbot-auto --apache

The script will ask you, to select the domains, choose all then a certificate is generated and a https config for every subdomain.

If you add a new subdomain you then the certificate could be renewed with the new subdomain included with this command:

/opt/certbot-auto certonly --apache --expand
systemctl restart apache2.service

Windows server with Apache

Install according to https://github.com/Lone-Coder/letsencrypt-win-simple.
Steps are first downloading and extracting, then run letsencrypt.exe from command line:

letsencrypt.exe --plugin manual --manualhost indowsserver.example.com --webroot C:\apache2\htdocs

Certificates are stored at:

  • Key: "C:/programdata/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/windowsserver.example.com-key.pem"
  • Cert: "C:/programdata/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/windowsserver.example.com-chain.pem"

This both certificate have to be configured in "C:\Apache24\conf\example.conf"
Task Scheduler has a renewing job which runs daily

Page Footer