Install Wild Card SSL using LetsEncrypt on Apache

Login to the server and install letsencrypt SSL certificate.

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache
$ sudo certbot --apache

Choose the no redirect option during install. The certbot will create a apache2-le-ssl.conf with SSL configuration you can view it by cat/etc/apache2/apache2-le-ssl.conf. It looks like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName letsdance.joaquinamenabar.com

    # Tell Apache and Passenger where your app's 'public' directory is
    DocumentRoot /home/deploy/tango/current/public

    PassengerRuby /usr/local/bin/ruby

    <Directory "/home/deploy/tango/current/public">
      Allow from all
      Options -MultiViews
      Require all granted
    </Directory>
SSLCertificateFile /etc/letsencrypt/live/letsdance.joaquinamenabar.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/letsdance.joaquinamenabar.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

If you run any online tool to test SSL installation, you will find that it has not enabled TLS v1.2. Let's enable TLSv1.2. Modify this file as follows:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ...
    <Directory "/home/deploy/tango/current/public">
        ...
    </Directory>
SSLEngine on
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLHonorCipherOrder On
SSLCertificateFile /etc/letsencrypt/live/letsdance.joaquinamenabar.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/letsdance.joaquinamenabar.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Only the entries below the directory tag has the new configuration. Restart the server.

sudo apachectl restart

You can now recheck if the TLS v1.2 is enabled or not.

SSL Installation Test

Automatic Renewal of SSL Certificate

On the server, run:

sudo certbot renew --dry-run

If this does not show any errors, your SSL will be renewed automatically.

References

How To Secure Apache with Let's Encrypt on Ubuntu 16.04


Related Articles


Ace the Technical Interview

  • Easily find the gaps in your knowledge
  • Get customized lessons based on where you are
  • Take consistent action everyday
  • Builtin accountability to keep you on track
  • You will solve bigger problems over time
  • Get the job of your dreams

Take the 30 Day Coding Skills Challenge

Gain confidence to attend the interview

No spam ever. Unsubscribe anytime.