I decided to give Let’s Encrypt a try. I’m still running Debian Wheezy:
alex@kallobombus:~$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 7.9 (wheezy) Release: 7.9 Codename: wheezy
I followed their instructions for letsencrypt-auto:
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
And then I picked the Webroot plugin:
./letsencrypt-auto certonly --webroot -w ~/arabisch-lernen.org/ -d arabisch-lernen.org
I had to provide my email address and agree to their terms and conditions and that seemed to work. I added the necessary config parameters myself. The site’s config file was `/etc/apache2/sites-available/arabisch-lernen.org` and the two important parts are the following two points:
1. The virtual host on port 80 does nothing but redirect to the secured version
2. The virtual host on port 443 refers to the files created in `/etc/letsencrypt/live/`
As I’m using Debian Wheezy this means I’m using Apache/2.2.22 (Debian) mod_ssl/2.2.22 OpenSSL/1.0.1e.
<VirtualHost *:80>
ServerName arabisch-lernen.org
ServerAlias www.arabisch-lernen.org
Redirect permanent / https://arabisch-lernen.org/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin alex@arabisch-lernen.org
<Directory />
Options None
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerName arabisch-lernen.org
ServerAlias www.arabisch-lernen.org
DocumentRoot /home/alex/arabisch-lernen.org
<Directory /home/alex/arabisch-lernen.org>
Options ExecCGI Includes Indexes MultiViews SymLinksIfOwnerMatch
AddHandler cgi-script .pl
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/arabisch-lernen.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/arabisch-lernen.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/arabisch-lernen.org/chain.pem
SSLVerifyClient None
</VirtualHost>
Todo:
1. cron job (see forum)
2. more sites (I’m waiting for their current SSH certificates to expire in the coming years)
For the cron job, it seems that we cannot just run `letsencrypt-auto`, we need to specify all the stuff we used in previous calls. If we don’t, we’re told: «No installers seem to be present and working on your system; fix that or try running letsencrypt with the “certonly” command.» If we use the `certonly` command, then we’re asked for domain names...
So, these commands all need to be run because I use a different certificate for every domain:
~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/alexschroeder.ch/ -d alexschroeder.ch -d www.alexschroeder.ch ~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/arabisch-lernen.org/ -d arabisch-lernen.org -d www.arabisch-lernen.org ~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/campaignwiki.org/ -d campaignwiki.org -d www.campaignwiki.org ~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/communitywiki.org/ -d communitywiki.org -d www.communitywiki.org ~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/korero.org/ -d korero.org -d www.korero.org ~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/oddmuse.org/ -d oddmuse.org -d www.oddmuse.org ~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/orientalisch.info/ -d orientalisch.info -d www.orientalisch.info
Check that the info was not created in a new directory:
ls /etc/letsencrypt/live
Restart Apache:
sudo service apache2 graceful
And, elsewhere:
/home/nicferrier/src/letsencrypt/letsencrypt-auto certonly --webroot -w /home/nicferrier/emacswiki.org/ -d emacswiki.org -d www.emacswiki.org
Ignoring `SNIMissingWarning` on this Ubuntu 14.04.1 LTS...
Reload nginx:
sudo service nginx reload
Also, calling `letsencrypt-auto` requires root privileges. Yikes!
#Web #Cryptography
(Please contact me if you want to remove your comment.)
⁂
Hi Alex
Do I need to git installed doing this?
– Ben 2016-04-28 17:17 UTC
---
Maybe? If you’re running a new operating system, your package manager might know how to install everything. If you are running Debian Wheezy, then you do need it. See the Getting Started page.
– Alex Schroeder 2016-04-28 22:09 UTC
---
Well thanks, but my question was about, if I would need to install git first (and which version, backport or normal) on wheezy to “git clone” the letsencrypt package. No one really says this clearly enough for me... 😄
– Ben 2016-04-29 13:33 UTC
---
The traditional way to do it would be to try it. :P But clearly, running the installation instructions say you need to run “git clone something” then having git is a precondition. Therefore:
alex@kallobombus:~$ sudo apt-get install git [sudo] password for alex: Reading package lists... Done Building dependency tree Reading state information... Done git is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. alex@kallobombus:~$ git --version git version 1.7.10.4
– Alex Schroeder 2016-04-30 18:32 UTC