Free SSL encryption with letsencrypt

Lets be honest folks. If SSL encryption is available free of charge and was easy to implement, wouldn't it be foolish not to use it?

Here are some snippets to get you started using letsencrypt on your Ubuntu 16 LTS machine running Apache2.

1. Install letsencrypt
sudo apt-get update  
sudo apt-get install python-letsencrypt-apache  
2. Next configure Apache to use SSL
sudo a2enmod ssl  
sudo a2ensite default-ssl  
sudo systemctl restart apache2  
3. Add the http virtualhost so letsencrypt can validate the certificate files
sudo vi /etc/apahce2/sites-available/examplesite.com.conf  

Add the following lines.

<VirtualHost *:80>  
    ServerName examplesite.com
    ServerAlias www.examplesite.com
    DocumentRoot /var/www/html
</VirtualHost>  
4. Enable the site and reload apache
sudo a2ensite examplesite.com.conf  
sudo service apache2 reload  
5. Generate a SSL certificate for your http site using letsencrypt
sudo letsencrypt certonly --agree-tos --keep-until-expiring -d examplesite.com -d www.examplesite.com -a webroot --webroot-path /var/www/html/  
6. Add the SSL virtualhost configuration to your config file. It should look like the following.
sudo vi /etc/apahce2/sites-available/examplesite.com.conf  
<VirtualHost *:80>  
    ServerName examplesite.com
    ServerAlias www.examplesite.com
    Redirect permanent / https://examplesite.com/
</VirtualHost>

<VirtualHost  *:443>  
    ServerName examplesite.com
    ServerAlias www.examplesite.com
    DocumentRoot /var/www/html
    UseCanonicalName Off
    ErrorLog /var/log/apache2/examplesite
    CustomLog /var/log/apache2/access_logs/examplesite common
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/examplesite.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/examplesite.com/privkey.pem
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
    DeflateCompressionLevel 9
</VirtualHost>  
Setup a cron job to refresh the certificates on a regular basis
crontab -e  

Add the following line to the bottom of the file

30 2 * * 1 echo -- $(date) -- >> /var/log/le-renew.log && /usr/bin/letsencrypt renew --agree-tos >> /var/log/le-renew.log  

You will most likely need to touch the log file and modify the permissions in order for the logging to work propperly

sudo touch /var/log/le-renew.log && sudo chmod 666 /var/log/le-renew.log  

-- Update: I have created a letsEncrypt provision script for use with Ubuntu and Apache. Check it out here > https://gist.github.com/peledies/2b7ef3a4f63d03f8b662a68b21152fb5

Thats it! Your site is now SSL encrypted! Now, quick, go encrypt the rest of your sites

 

Certificate Removal

If you ever need to remove a certificate, for example, if you no longer manage a particular domain see my post about removing a certificate below.

remove a LetsEncrypt certificate