2016-01-02 Let’s Encrypt

I decided to give Let’s Encrypt a try. I’m still running Debian Wheezy:

=> Let’s Encrypt

alex@kallobombus:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 7.9 (wheezy)
Release:	7.9
Codename:	wheezy

I followed their instructions for letsencrypt-auto:

=> letsencrypt-auto

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

And then I picked the Webroot plugin:

=> Webroot

./letsencrypt-auto certonly --webroot -w ~/arabisch-lernen.org/ -d arabisch-lernen.org

I had to provide my email address and agree to their terms and conditions and that seemed to work. I added the necessary config parameters myself. The site’s config file was /etc/apache2/sites-available/arabisch-lernen.org and the two important parts are the following two points:

  1. The virtual host on port 80 does nothing but redirect to the secured version

  1. The virtual host on port 443 refers to the files created in /etc/letsencrypt/live/

As I’m using Debian Wheezy this means I’m using Apache/2.2.22 (Debian) mod_ssl/2.2.22 OpenSSL/1.0.1e. 


    ServerName arabisch-lernen.org
    ServerAlias www.arabisch-lernen.org
    Redirect permanent / https://arabisch-lernen.org/


    ServerAdmin alex@arabisch-lernen.org
    
        Options None
        AllowOverride None
        Order Deny,Allow
        Deny from all
    
    ServerName arabisch-lernen.org
    ServerAlias www.arabisch-lernen.org
    DocumentRoot /home/alex/arabisch-lernen.org
    
        Options ExecCGI Includes Indexes MultiViews SymLinksIfOwnerMatch
        AddHandler cgi-script .pl
        AllowOverride All
        Order Allow,Deny
        Allow from all
    

    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/arabisch-lernen.org/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/arabisch-lernen.org/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/arabisch-lernen.org/chain.pem
    SSLVerifyClient None

Todo:

  1. cron job (see forum)

  1. more sites (I’m waiting for their current SSH certificates to expire in the coming years)

=> forum

For the cron job, it seems that we cannot just run letsencrypt-auto, we need to specify all the stuff we used in previous calls. If we don’t, we’re told: «No installers seem to be present and working on your system; fix that or try running letsencrypt with the “certonly” command.» If we use the certonly command, then we’re asked for domain names...

So, these commands all need to be run because I use a different certificate for every domain: 

~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/alexschroeder.ch/    -d alexschroeder.ch    -d www.alexschroeder.ch
~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/arabisch-lernen.org/ -d arabisch-lernen.org -d www.arabisch-lernen.org
~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/campaignwiki.org/    -d campaignwiki.org    -d www.campaignwiki.org
~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/communitywiki.org/   -d communitywiki.org   -d www.communitywiki.org
~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/korero.org/          -d korero.org          -d www.korero.org
~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/oddmuse.org/         -d oddmuse.org         -d www.oddmuse.org
~/src/letsencrypt/letsencrypt-auto certonly --webroot -w ~/orientalisch.info/   -d orientalisch.info   -d www.orientalisch.info

Check that the info was not created in a new directory: 

ls /etc/letsencrypt/live

Restart Apache: 

sudo service apache2 graceful

And, elsewhere: 

/home/nicferrier/src/letsencrypt/letsencrypt-auto certonly --webroot -w /home/nicferrier/emacswiki.org/ -d emacswiki.org -d www.emacswiki.org

Ignoring SNIMissingWarning on this Ubuntu 14.04.1 LTS...

Reload nginx: 

sudo service nginx reload

Also, calling letsencrypt-auto requires root privileges. Yikes!

​#Web ​#Cryptography

Comments

(Please contact me if you want to remove your comment.)

Hi Alex

Do I need to git installed doing this?

– Ben 2016-04-28 17:17 UTC

Maybe? If you’re running a new operating system, your package manager might know how to install everything. If you are running Debian Wheezy, then you do need it. See the Getting Started page.

=> Getting Started

– Alex Schroeder 2016-04-28 22:09 UTC

Well thanks, but my question was about, if I would need to install git first (and which version, backport or normal) on wheezy to “git clone” the letsencrypt package. No one really says this clearly enough for me... 😄

– Ben 2016-04-29 13:33 UTC

The traditional way to do it would be to try it. :P But clearly, running the installation instructions say you need to run “git clone something” then having git is a precondition. Therefore: 

alex@kallobombus:~$ sudo apt-get install git
[sudo] password for alex:
Reading package lists... Done
Building dependency tree
Reading state information... Done
git is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
alex@kallobombus:~$ git --version
git version 1.7.10.4

– Alex Schroeder 2016-04-30 18:32 UTC

Proxy Information
Original URL
gemini://alexschroeder.ch/2016-01-02_Let%E2%80%99s_Encrypt
Status Code
Success (20)
Meta
text/gemini
Capsule Response Time
164.204109 milliseconds
Gemini-to-HTML Time
1.263642 milliseconds

This content has been proxied by September (ba2dc).