Apache2 and https

Written by Robert -

I renewed the backend of the blog and I went for letsencrypt for my SSL certificate. The process on Ubuntu based servers is fairly straightforward.

Installing the SSL tool:

When logged in over SSH, you can download the file from the eff to install the certification:

sudo wget https://dl.eff.org/certbot-auto -P /usr/local/sbin

After that you need to make the script writeable:

sudo chmod a+x /usr/local/sbin/certbot-auto

This tool can save you quite some time as it requests the certificate and installs it for you automatically. Because this blog runs on Apache2, the command is very simple:

certbot-auto --apache -d arawn.org -d www.arawn.org

If you wish, you can install it for multiple subdomains and other domains that you are running on a single host.

After that, the website is active on https.

Automatically renew SSL certificate:

LetsEncrypt doesn't have long lasting SSL certificates. That's not a problem because the certbot tool can easily handle SSL certificates renewals.

If you open the crontab using the 'crontab -e' command, you can enter this line:

0 1 * * 7 /usr/local/sbin/certbot-auto renew >> /var/log/certbot-auto-renew.log

That will automatically renew the certificate every sunday at 01:00 AM.

The result will look something like this:

Processing /etc/letsencrypt/renewal/arawn.org.conf

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/arawn.org/fullchain.pem (skipped)
No renewals were attempted.

Forcing https:

Using https is nice, but when users aren't automatically connecting to it, they are still going to the unsecure site.

If you are using a fairly default Apache2 configuration, the site will be listed as a VirtualHost in the /etc/apache2/sites-enabled/000-default.conf

Under the used VirtualHost, you can comment out the following line:

DocumentRoot /var/www/html

After that line you can enter a new line that forces it to https:

Redirect permanent / https://www.arawn.org

After restarting Apache, users are automatically forwarded to the new site.