Apache SSL via Let's Encrypt! - jonatello/lab-musing GitHub Wiki

Install certbot for Let's Encrypt autorenewal

pkg install py27-certbot

Request new certificate via webroot method (fill out with appropriate information when prompted)

certbot certonly --webroot -w /usr/local/www/apache24/data -d example.com -d www.example.com

Test renewal

certbot renew --dry-run

Set up cronjob for automatic renewal

crontab -e

0 6 * * * certbot renew --quiet --post-hook "service apache24 restart"

Update Apache configuration, in this case we will assume a non-existing default configuration for "example.com". Make sure to update the ServerName, ServerAlias, ErrorLog, and CustomLog to the appropriate domain. Use the "famp.example.com"

vi /usr/local/etc/apache24/sites-available/example.com

Create a symlink for the new example.com site between sites-available and sites-enabled

ln -sf /usr/local/etc/apache24/sites-available/example.com /usr/local/etc/apache24/sites-enabled/example.com

Add the SSL module to Apache with the following config, use "famp.ssl.conf". The cipher list and strong settings are using the suggestions from here - https://cipherli.st/

vi /usr/local/etc/apache24/modules.d/020_mod_ssl.conf

Configure the Apache config to load the ssl module by uncommenting the ssl_module line as well as the socache_shmcb module

sed -i '' 's/#LoadModule ssl_module libexec\/apache24\/mod_ssl.so/LoadModule ssl_module libexec\/apache24\/mod_ssl.so/g' /usr/local/etc/apache24/httpd.conf

sed -i '' 's/#LoadModule socache_shmcb_module libexec\/apache24\/mod_socache_shmcb.so/LoadModule socache_shmcb_module libexec\/apache24\/mod_socache_shmcb.so/g' /usr/local/etc/apache24/httpd.conf

Update the .htaccess file in order to rewrite HTTP requests to HTTPS by adding the following lines

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Restart Apache

service apache24 restart

For added security and to abide by RFC 6844 add a CAA type record within the appropriate DNS zone file. It should look like this for "example.com"

example.com. CAA 128 issue "letsencrypt.org"