Date Tue 29 March 2016

I have recently started using LetsEncrypt, rather then generating my own self signed certificates. This post is a reminder to myself on how to setup LetsEncrypt on a server running Arch Linux and Apache. Install certbot:

pacman -S certbot

I have several sites that I want to encrypt, so, I map all http requests for .well-known/acme-challenge to a single folder, /var/lib/letsencrypt

mkdir /var/lib/letsencrypt

In Apache create a file httpd-acme.conf

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS

Include this file in httpd.conf:

Include conf/extra/httpd-acme.conf

The path has to be writable for LetsEncrypt and readable by the webserver:

chgrp http /var/lib/letsencrypt && chmod g+s /var/lib/letsencrypt

Generating a Certificate.

certbot certonly --email --webroot -w /var/lib/letsencrypt/ -d

This will place certificates in /etc/letcencrypt/live:

mail2 ~ ยป sudo ls /etc/letsencrypt/live/
cert.pem  chain.pem  fullchain.pem  privkey.pem

Apache vhost Configuration.

This is the https section of my vhost configuration for a domain.


    DocumentRoot /srv/http/vhosts/
    <Directory /srv/http/vhosts/>
    Options Indexes FollowSymLinks MultiViews
	AllowOverride All
	Require all granted

    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/"
    SSLCertificateKeyFile "/etc/letsencrypt/live/"

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
    <Directory "/srv/http/cgi-bin">
       SSLOptions +StdEnvVars

    BrowserMatch "MSIE [2-5]" \
       nokeepalive ssl-unclean-shutdown \
       downgrade-1.0 force-response-1.0


Automatic Renewal.

When running certbot certonly the domains adn webroot directories are stored in /etc/letsencrypt/renewal allowing certificates to be renewed automatically by running certbot renew.

Renewal can be done automatically by creating a systemd service:

Description=Let's Encrypt renewal

ExecStart=/usr/bin/certbot renew
ExecStartPost=/bin/systemctl reload httpd.service

This script runs daily, but certificates not due for renewal will be skipped.

Postfix and Dovecot.


comments powered by Disqus