One of the biggest topics today is encryption. I can’t remember the last time I haven’t heard “encryption” or “SSL” at least once a day.  Anyone who has enabled SSL on a website knows the pain of getting it to work right, managing the certificates and how expensive certificates can be. Let’s Encrypt has made this super simple and automates it in a way to alleviate the frustration with encryption.

First you will need to setup a website, I will be using Apache on a Digital Ocean droplet. Haven’t heard of Digital Ocean? Check out my previous post on Digital Ocean and cloud infrastructure for labs.  Once you have your website up and running you will need to enable SSL. For Apache we will use mod_ssl, this is a module that provides SSL v3 and TLS c1.x support. You can read more about mod_ssl here.

I’m using CentOS 7.2 for my Apache server – other distros will work as well, however distros such as Ubuntu will be a little bit different.

To install Apache run

sudo yum install httpd -y 

The

1
-y
passes Yes to the prompt to move forward with the install. It will also install a few dependencies as well. Once installed, enable the service:

sudo systemctl enable httpd.service

Now that we have Apache installed – we need to create a website.

First, we’ll create the directory structure.

sudo mkdir -p /var/www/test.com/public_html

the

1
-p
automatically creates the parent directory structure.

[user@test-web ~]# sudo mkdir -p /var/www/test.com/public_html
[cole@test-web ~]# ls -l /var/www/test.com/
total 4
drwxr-xr-x 2 root root 4096 May  3 08:20 test_html

Next we’ll grant permissions as the files are owned by root. We will change the ownership with the

1
chown
command. To make things easy, we use the $USER variable as it will take the current logged in user and set the permissions.

sudo chown -R $USER:$USER /var/ww/test.com/test_html
[cole@test-web /]$ sudo chown -R $USER:$USER /var/www/test.com/test_html
[cole@test-web /]$ ls -l /var/www/test.com/
total 4
drwxr-xr-x 2 cole cole 4096 May  3 09:48 test_html

Lastly for permissions we need to give read access so the pages can be accessed. Using 755 for directory permissions means the owner has full access, any one else can list the directory but cannot create/delete files.

sudo chmod -R 755 /var/www

Now we’ll create a demo page for your virtual host. We’ll create an

1
index.html
page in
1
/var/www/test.com/test_public

You’ll want to use a test editor – I prefer

1
vi or vim
and advise against using
1
nano
– however use whatever you’re comfortable with.

vi /var/www/test.com/test_html

We’re going to use some very simple HTML code for testing.

<html>
  <head>
    <title>Hello World. Welcome to Test.com</title>
  </head>
  <body>
    <h1>Success! The test.com virtual host is working.</h1>
  </body>
</html>

Save and close the file: press

1
esc
and then
1
:wq!

Create a new virtual host file.

sudo mkdir /etc/httpd/sites-available
sudo mkdir /etc/httpd/sites-enabled

Your directory should now look like this:

[cole@test-web ~]$ sudo mkdir /etc/httpd/sites-available
[cole@test-web ~]$ sudo mkdir /etc/httpd/sites-enabled
[cole@test-web ~]$ ls -l /etc/httpd/
total 20
drwxr-xr-x 2 root root 4096 May  3 07:55 conf
drwxr-xr-x 2 root root 4096 May  3 07:55 conf.d
drwxr-xr-x 2 root root 4096 May  3 07:55 conf.modules.d
lrwxrwxrwx 1 root root   19 May  3 07:55 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root   29 May  3 07:55 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root   10 May  3 07:55 run -> /run/httpd
drwxr-xr-x 2 root root 4096 May  3 10:02 sites-available
drwxr-xr-x 2 root root 4096 May  3 10:02 sites-enabled

This directory layout isn’t the only way to do this – however it does make it easier to manage virtual hosts.

Edit the

1
httpd.conf
in
1
/etc/httpd/conf/
to tell Apache where to look for the virtual hosts.

sudo vi /etc/httpd/conf/httpd.conf

Add

1
IncludeOptional sites-enabled/*.conf
to the end of the file under Supplemental configuration. This tells Apache to look at any of the configuration files in the sites-enabled directory.

To create the actual virtual hosts file create a configuration file in

1
/etc/httpd/sites-available/

sudo vi /etc/httpd/sites-available/test.com.conf

This will create a blank file and enter the following information:

<VirtualHost *:80>
     ServerName www.test.com
     ServerAlias test.com
     DocumentRoot /var/www/test.com/test_html
     ErrorLog /var/www/test.com/error.log
</VirtualHost>

Then save and close the file.

Now we can enable the virtual host by creating a symbolic link to the

1
sites-enabled
directory.

sudo ln -s /etc/httpd/sites-available/test.com.conf /etc/httpd/sites-enabled/test.com.conf

and restart Apache

1
sudo apachectl restart
.

You can edit your hosts file on your local machine to test by name if you’d like. For Linux and Mac edit the

1
/etc/hosts
file and add:

1
server_ip_address  test.com

In Windows you will need to launch an elevated instance of Notepad and edit

1
C:\Windows\System32\drivers\etc\hosts

test_com_working

Now that we have a website we need to point our domain to the IP Address. SSL are bound to a common name, in this case it would be our domain. You can use a SSL certificate on an IP Address, but it’s not advised or widely used.

We will want to update our DNS to point to our new Digital Ocean droplet. I use NameCheap for my registratar for my domain – they have a detailed walk through on updating your DNS through them here.

I’ve updated my DNS through my registrar and now I can access it via the domain

1
colelabs.tech

test_com_name_working

Before enabling SSL in Apache we will obtain the certificate from Let’s Encrypt.

The easiest way is via the EPEL repository.

sudo yum install epel-release

We will also need to use

1
git
to download the Let’s Encrypt client.

sudo yum install git

To download the Let’s Encrypt client from git we’ll run. We’re putting it in the

1
/opt
directory which is a standard directory for third-party software.

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Time to generate the SSL Certificate with Let’s Encrypt. Change directories to

1
/opt/letsencrypt

cd /opt/letsencrypt

We’re only doing one a single domain so we can run the interactive installation with the

1
letsencrypt-auto
command

sudo ./letsencrypt-auto --apache -d colelabs.tech

You may see a bunch of dependencies being downloaded and installed if they’re not on your server already. The client will install

1
mod_ssl
for Apache during this process.

You will be prompted to enter your email address in the next screen and accept the TOS:

le_install

You can chose Easy or Secure. Easy will allow both HTTP and HTTPS traffic while Secure will allow only HTTPS. Today I’m going to do Easy.

easy_secure_install

IF all was successfully you should receive a screen similar to this:

le_congrats

Quick test and navigate to your site via HTTPS

https_enabled

You should see a green lock to the left of the URL. Checking the certificate and it shows as valid

colelab_cert

However, lets see what SSL Reports frol Qualys SSL Labs says:

ssl_asses

Looks like we need to disable SSLv3 in Apache. This is easy enough to do by editing the ``Tweet{.twitter-share-button}

One of the biggest topics today is encryption. I can’t remember the last time I haven’t heard “encryption” or “SSL” at least once a day.  Anyone who has enabled SSL on a website knows the pain of getting it to work right, managing the certificates and how expensive certificates can be. Let’s Encrypt has made this super simple and automates it in a way to alleviate the frustration with encryption.

First you will need to setup a website, I will be using Apache on a Digital Ocean droplet. Haven’t heard of Digital Ocean? Check out my previous post on Digital Ocean and cloud infrastructure for labs.  Once you have your website up and running you will need to enable SSL. For Apache we will use mod_ssl, this is a module that provides SSL v3 and TLS c1.x support. You can read more about mod_ssl here.

I’m using CentOS 7.2 for my Apache server – other distros will work as well, however distros such as Ubuntu will be a little bit different.

To install Apache run

sudo yum install httpd -y 

The

1
-y
passes Yes to the prompt to move forward with the install. It will also install a few dependencies as well. Once installed, enable the service:

sudo systemctl enable httpd.service

Now that we have Apache installed – we need to create a website.

First, we’ll create the directory structure.

sudo mkdir -p /var/www/test.com/public_html

the

1
-p
automatically creates the parent directory structure.

[user@test-web ~]# sudo mkdir -p /var/www/test.com/public_html
[cole@test-web ~]# ls -l /var/www/test.com/
total 4
drwxr-xr-x 2 root root 4096 May  3 08:20 test_html

Next we’ll grant permissions as the files are owned by root. We will change the ownership with the

1
chown
command. To make things easy, we use the $USER variable as it will take the current logged in user and set the permissions.

sudo chown -R $USER:$USER /var/ww/test.com/test_html
[cole@test-web /]$ sudo chown -R $USER:$USER /var/www/test.com/test_html
[cole@test-web /]$ ls -l /var/www/test.com/
total 4
drwxr-xr-x 2 cole cole 4096 May  3 09:48 test_html

Lastly for permissions we need to give read access so the pages can be accessed. Using 755 for directory permissions means the owner has full access, any one else can list the directory but cannot create/delete files.

sudo chmod -R 755 /var/www

Now we’ll create a demo page for your virtual host. We’ll create an

1
index.html
page in
1
/var/www/test.com/test_public

You’ll want to use a test editor – I prefer

1
vi or vim
and advise against using
1
nano
– however use whatever you’re comfortable with.

vi /var/www/test.com/test_html

We’re going to use some very simple HTML code for testing.

<html>
  <head>
    <title>Hello World. Welcome to Test.com</title>
  </head>
  <body>
    <h1>Success! The test.com virtual host is working.</h1>
  </body>
</html>

Save and close the file: press

1
esc
and then
1
:wq!

Create a new virtual host file.

sudo mkdir /etc/httpd/sites-available
sudo mkdir /etc/httpd/sites-enabled

Your directory should now look like this:

[cole@test-web ~]$ sudo mkdir /etc/httpd/sites-available
[cole@test-web ~]$ sudo mkdir /etc/httpd/sites-enabled
[cole@test-web ~]$ ls -l /etc/httpd/
total 20
drwxr-xr-x 2 root root 4096 May  3 07:55 conf
drwxr-xr-x 2 root root 4096 May  3 07:55 conf.d
drwxr-xr-x 2 root root 4096 May  3 07:55 conf.modules.d
lrwxrwxrwx 1 root root   19 May  3 07:55 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root   29 May  3 07:55 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root   10 May  3 07:55 run -> /run/httpd
drwxr-xr-x 2 root root 4096 May  3 10:02 sites-available
drwxr-xr-x 2 root root 4096 May  3 10:02 sites-enabled

This directory layout isn’t the only way to do this – however it does make it easier to manage virtual hosts.

Edit the

1
httpd.conf
in
1
/etc/httpd/conf/
to tell Apache where to look for the virtual hosts.

sudo vi /etc/httpd/conf/httpd.conf

Add

1
IncludeOptional sites-enabled/*.conf
to the end of the file under Supplemental configuration. This tells Apache to look at any of the configuration files in the sites-enabled directory.

To create the actual virtual hosts file create a configuration file in

1
/etc/httpd/sites-available/

sudo vi /etc/httpd/sites-available/test.com.conf

This will create a blank file and enter the following information:

<VirtualHost *:80>
     ServerName www.test.com
     ServerAlias test.com
     DocumentRoot /var/www/test.com/test_html
     ErrorLog /var/www/test.com/error.log
</VirtualHost>

Then save and close the file.

Now we can enable the virtual host by creating a symbolic link to the

1
sites-enabled
directory.

sudo ln -s /etc/httpd/sites-available/test.com.conf /etc/httpd/sites-enabled/test.com.conf

and restart Apache

1
sudo apachectl restart
.

You can edit your hosts file on your local machine to test by name if you’d like. For Linux and Mac edit the

1
/etc/hosts
file and add:

1
server_ip_address  test.com

In Windows you will need to launch an elevated instance of Notepad and edit

1
C:\Windows\System32\drivers\etc\hosts

test_com_working

Now that we have a website we need to point our domain to the IP Address. SSL are bound to a common name, in this case it would be our domain. You can use a SSL certificate on an IP Address, but it’s not advised or widely used.

We will want to update our DNS to point to our new Digital Ocean droplet. I use NameCheap for my registratar for my domain – they have a detailed walk through on updating your DNS through them here.

I’ve updated my DNS through my registrar and now I can access it via the domain

1
colelabs.tech

test_com_name_working

Before enabling SSL in Apache we will obtain the certificate from Let’s Encrypt.

The easiest way is via the EPEL repository.

sudo yum install epel-release

We will also need to use

1
git
to download the Let’s Encrypt client.

sudo yum install git

To download the Let’s Encrypt client from git we’ll run. We’re putting it in the

1
/opt
directory which is a standard directory for third-party software.

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Time to generate the SSL Certificate with Let’s Encrypt. Change directories to

1
/opt/letsencrypt

cd /opt/letsencrypt

We’re only doing one a single domain so we can run the interactive installation with the

1
letsencrypt-auto
command

sudo ./letsencrypt-auto --apache -d colelabs.tech

You may see a bunch of dependencies being downloaded and installed if they’re not on your server already. The client will install

1
mod_ssl
for Apache during this process.

You will be prompted to enter your email address in the next screen and accept the TOS:

le_install

You can chose Easy or Secure. Easy will allow both HTTP and HTTPS traffic while Secure will allow only HTTPS. Today I’m going to do Easy.

easy_secure_install

IF all was successfully you should receive a screen similar to this:

le_congrats

Quick test and navigate to your site via HTTPS

https_enabled

You should see a green lock to the left of the URL. Checking the certificate and it shows as valid

colelab_cert

However, lets see what SSL Reports frol Qualys SSL Labs says:

ssl_asses

Looks like we need to disable SSLv3 in Apache. This is easy enough to do by editing the`` file under

1
/etc/httpd/conf.d/

Open up the ssl.conf file with a text editor and find the SSLProtocol option.

vi sudo /etc/httpd/conf.d/ssl.conf

It should look like: SSLProtocol all

1
-SSLv2
. To disabled SSLv3 add
1
-SSLv3
after
1
-SSLv2
. This tells Apache to allow all SSL protocols _but_ SSLv2 and SSLv3.

To check to make sure the parameter is set you can grep the

1
ssl.conf
file.

[cole@test-web letsencrypt]$ grep -i -r "SSLProtocol" /etc/httpd
/etc/httpd/conf.d/ssl.conf:SSLProtocol all -SSLv2 -SSLv3

Now we’ll restart Apache:

sudo systemctl restart httpd

Then run the test again from ssllabs.com by clicking Clear Cache at the top of the page

clear_cache

Much better result with a simple configuration change.

ssl_asses_A

An optional last step is setting up automatic renewal of the SSL certificate.

Run the

1
sudo ./letsencrypt-auto renew
from the
1
/opt/letsencrypt
directory. Since certificate was just installed the command will only check the expiration date and return a message that the certificate is not up for renewal yet.

[cole@test-web letsencrypt]$ sudo ./letsencrypt-auto renew
Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt renew

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/colelabs.tech.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/colelabs.tech/fullchain.pem (skipped)

Creating a cron job to automatically check for renewal is a simple solution. To create a cron job that runs under the root user run

sudo crontab -e

If you’ve never used cron before here is a handy reference for understanding the format for cron. The cron format consists of five fields:

1
<Minute> <Hour> <Day_of_the_Month> <Month_of_the_Year> <Day_of_the_Week>

We’re going to set our cron job to run every Sunday at 8AM and output to

1
/var/log/sslcert_renew.log

00 8 * * 0 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/sslcert_renew.log

Save and exit the file(

1
:wq!
). You’ve now created a cron job that will execute the renew command every Sunday at 8AM. Output from the file will be located in
1
/var/log/sslcert_renew.log

Let’s Encrypt is a great and easy way to secure a website that runs on Unix-type OSes. Let’s Encrypt left beta on April 12, 2016. You can find more of that information in the Let’s Encrypt blog post:
https://letsencrypt.org/2016/04/12/leaving-beta-new-sponsors.html