Wildcard Let’s Encrypt with Certbot Apache Ubuntu
Google started a campaign to make the web a safer place. So they decided to mark all websites using plain old http as “not secure”. Only websites that were using https we marked as “safe” to use.
Nobody wants to see their website marked as “not secure” because they didn’t use https. In order to remove the warning message, the website needs a SSL certification. But that costs money. Fortunately, there is a free way to SSL your website.
Let’s Encrypt comes to the rescue. Let’s Encrypt also has the same mission as Google, making the web as safer place. They are an open certificate authority (CA) who provide free digital certificates for our websites.
It’s easy to setup a wildcard SSL certificate for our domain. That way, you do not need to request a new certificate for each subdomain.
First get all the required tools
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot python-certbot-apache sudo a2enmod ssl
Next, in the registar create the following
- custom A record @ with the value of the IP ADDRESS of the webserver
- custom CNAME record * with the value of @
- custom CNAME record www with the value of @
Request a wildcard ssl certificate for your domain from Let’s Encrpyt.
Replace example.com with your own domain.
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns certonly
Next you will be asked a question.
Type y if you want to continue.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y
Create a TXT record with the information provided after typing y.
The name is _acme-challenge and the value is the long random characters
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: Zc69N6P6Dqnr2eg3Dc0LLJBAzeOCD5aIIlrt2knBKbe Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
After pressing Enter, you are done with Let’s Encrypt.
Now to configure Apache. We’ll make all http request forward to https.
sudo vim /etc/apache2/site-available/test.example.com.conf
Edit the file to something similar.
<VirtualHost example.com:80>
ServerName example.com
ServerAlias www.example.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com[OR]
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}[END,NE,R=permanent]
</VirtualHost>
Save the file then create another file for the https
sudo vim /etc/apache2/site-available/test.example.com-ssl.conf
Now setup the https for the domain
<ifmodule mod_ssl.c>
<virtualhost example.com:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin webmaster@example.com
DocumentRoot /var/www/example/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</virtualhost>
</ifmodule>
Now to enable the site.
sudo a2ensite example.com-ssl.conf sudo
Now you’re all set. All done! Almost.
There is a limitation with using Let’s Encrypt’s SSL Certificate.
The certificates expire every 90 days.
We can create a cron job to renew the certificates
sudo crontab -e
In the crontab editor type the following to renew once a month
0 2 */5 * 1 /usr/bin/certbot renew --quiet
Save it and exit.
Now we are done!
Congratulations!!! Your site is https ready.