Date Tue 29 March 2016

I have recently started using LetsEncrypt, rather then generating my own self signed certificates. This post is a reminder to myself on how to setup LetsEncrypt on a server running Arch Linux and Apache. Install certbot:

pacman -S certbot

I have several sites that I want to encrypt, so, I map all http requests for .well-known/acme-challenge to a single folder, /var/lib/letsencrypt

mkdir /var/lib/letsencrypt

In Apache create a file httpd-acme.conf

/etc/httpd/conf/extra/httpd-acme.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Include this file in httpd.conf:

Include conf/extra/httpd-acme.conf

The path has to be writable for LetsEncrypt and readable by the webserver:

chgrp http /var/lib/letsencrypt && chmod g+s /var/lib/letsencrypt

Generating a Certificate.

certbot certonly --email ian@ianbarton.net --webroot -w /var/lib/letsencrypt/ -d ianbarton.net

This will place certificates in /etc/letcencrypt/live:

mail2 ~ ยป sudo ls /etc/letsencrypt/live/wilkesley.org
cert.pem  chain.pem  fullchain.pem  privkey.pem

Apache vhost Configuration.

This is the https section of my vhost configuration for a domain.

<VirtualHost 176.58.110.121:443>
    ServerAdmin webmaster@wilkesley.org
    ServerName www.wilkesley.org
    ServerAlias wilkesley.org

    DocumentRoot /srv/http/vhosts/wilkesley.org/
    <Directory /srv/http/vhosts/wilkesley.org/>
    Options Indexes FollowSymLinks MultiViews
	AllowOverride All
	Require all granted
    </Directory>

    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/wilkesley.org/cert.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/wilkesley.org/privkey.pem"

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/srv/http/cgi-bin">
       SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-5]" \
       nokeepalive ssl-unclean-shutdown \
       downgrade-1.0 force-response-1.0

</VirtualHost>

Automatic Renewal.

When running certbot certonly the domains adn webroot directories are stored in /etc/letsencrypt/renewal allowing certificates to be renewed automatically by running certbot renew.

Renewal can be done automatically by creating a systemd service:

/etc/systemd/system/certbot.service
[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew
ExecStartPost=/bin/systemctl reload httpd.service

This script runs daily, but certificates not due for renewal will be skipped.

Postfix and Dovecot.


Comments

comments powered by Disqus