Setting up a Let’s Encrypt – Free SSL/TLS Certificates on Debian Jessie

 

OS Type: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 (64 bit)
Server Software: Apache
CPU Cores: 2 Cores
Load Average: 0.14, 0.11, 0.09
Disk Space: 83.83 GB (9%) used of 912.86 GB total
Database Size: 12.91 MB
MySQL Version: 5.5.59-0+deb8u1

That’s the current server, so we need to setup SSL https:// for the domains here
radioforjesus.com
www.radioforjesus.com
The new WordPress without www
https://radioforjesus.com/wordpress
https://www.radioforjesus.com/wordpress

while making sure the mp3 directories doesn’t require https

Other reasons to have a https is that Facebook & Slack requires https
https://stackoverflow.com/questions/8574344/what-are-app-domains-in-facebook-apps

Here’s the site we have already setup
https://www.recyclethebible.org/recycle/


So let’s get started:

  1. https://letsencrypt.org/getting-started/
  2. https://community.letsencrypt.org/latest
  3. https://certbot.eff.org/all-instructions/#debian-8-jessie-apache
  4. https://certbot.eff.org/#debianjessie-apache
  5. https://certbot.eff.org/lets-encrypt/debianjessie-apache.html <- security update

#########################################################
#Check debian version
cat /etc/issue
#should returns: Debian GNU/Linux 8 \n \l
#if debian 8 jessie continue
#########################################################

Add backports to your sources.list

see https://backports.debian.org/Instructions/

For jessie

echo 'deb http://ftp.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list
to your sources.list (or add a new file with the “.list” extension to /etc/apt/sources.list.d/)

#Add debian 8 jessie backports to your /etc/apt/sources.list.d/sources.list

#echo 'deb http://ftp.debian.org/debian jessie-backports main' >> /etc/apt/sources.list.d/sources.list

for testing:
echo 'deb http://ftp2.de.debian.org/debian/ testing main' >> /etc/apt/sources.list.d/sources.list

Install backports
&
Certbot

 

#All backports are deactivated by default
#(i.e. the packages are pinned to 100 by using ButAutomaticUpgrades: yes in the Release files.
#If you want to install something from backports run:
apt-get -t stretch-backports install "package"

returns:Reading package lists... Done
E: The value 'stretch-backports' is invalid for APT::Default-Release as such a release is not available in the sources

because we forgot to update

apt-get update

& we have to do the actual “packages” oops

apt-get install certbot python-certbot-apache -t jessie-backports

we run certbot  returns error

Client with the currently selected authenticator does not support any combination of challenges
that will satisfy the CA.

which is fixed by

certbot --authenticator webroot

TLS Security Update

certbot plugin apache used tls which was discontinued , so I used the below to add a new domain to the existing setup here.

certbot certonly --webroot -d radioforjesus.com -d www.radioforjesus.com --webroot-path /home/radioforjesus/public_html


Certbot Apache Plugin

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:

#certbot --apache -d www.recyclethebible.org -d recyclethebible.org

Certbot’s DNS plugins which can be used to automate obtaining a wildcard certificate from Let’s Encrypt’s ACMEv2 server
are NOT available for your OS yet.

Running this command will get a certificate for you
and have Certbot edit your Apache configuration automatically
to serve it. If you’re feeling more conservative and would
like to make the changes to your Apache configuration by hand,
you can use the certonly subcommand:

#certbot --apache certonly


Automating renewal

The Certbot packages on your system come with a cron job
that will renew your certificates automatically before they expire.
Since Let’s Encrypt certificates last for 90 days,
it’s highly advisable to take advantage of this feature.
You can test automatic renewal for your certificates by running this command:

#certbot renew --dry-run

If that appears to be working correctly????,
you can arrange for automatic renewal
by adding a cron or systemd job which runs the following:

certbot renew


Adding a Cron Job

crontab -l

crontab -e

@weekly /home/everyweek.sh


Simple start script

nano /home/everyweek.sh
#!/bin/sh

#test first
letsencrypt renew --dry-run --agree-tos

#Production
#letsencrypt renew >> /var/log/letsencrypt/renew.log
#/usr/bin/certbot renew >> /var/log/letsencrypt/renew.log

service apache2 reload
#EOF

************************
For posting to Slack, get url from Slack for custom hooks to replace the ????? in url

#!/bin/bash

/usr/bin/certbot renew > /home/renew.log

CERTPUG=$(</home/renew.log)

curl -X POST --data-urlencode "payload={\"channel\": \"#general\", \"username\": \"webhookbot\", \"text\": \"Weekly letsencrypt!\n$CERTPUG\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/????????

service apache2 reload

#EOF

 returns

Weekly letsencrypt!

——————————————————————————-
Processing /etc/letsencrypt/renewal/jesus-christ-forums.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/radioforjesus.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.jesus-christ-forums.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.jesus-christ-forums.net.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.radioforjesus.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/jesus-christ-forums.com-0001.conf
——————————————————————————-

The following certs are not due for renewal yet:
/etc/letsencrypt/live/jesus-christ-forums.com/fullchain.pem (skipped)
/etc/letsencrypt/live/radioforjesus.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.jesus-christ-forums.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.jesus-christ-forums.net/fullchain.pem (skipped)
/etc/letsencrypt/live/www.radioforjesus.com/fullchain.pem (skipped)
/etc/letsencrypt/live/jesus-christ-forums.com-0001/fullchain.pem (skipped)
No renewals were attempted.

 


Homepage
https://letsencrypt.org/

Tweets by letsencrypt

Github
https://github.com/letsencrypt/website

The world’s fastest framework for building websites
https://gohugo.io/


DHS Issues Emergency Directive on DNS Security  Dark ReadingAll government domain owners are instructed to take immediate steps to strengthen the security of their DNS servers following a successful hacking ...
Review: The Helm personal email server puts you in control of your data  MashableThe almost plug-and-play device is well designed, and simple enough for most users.
Get in the bin: Let\'s Encrypt gives admins until February 13 to switch off TLS-SNI-01  The RegisterIf you\'re still using TLS-SNI-01, stop: a year after a slip-up allowed miscreants to claim Let\'s Encrypt certificates for domains they didn\'t own, the free certificate ...
Is it still safe to use RSA Encryption? - Hashed Out by The SSL Store™  Hashed Out by The SSL Store™Let\'s talk about RSA encryption. Last month we wrote about an exploit called Bleichenbacher\'s CAT that could impact RSA key generation. Today we\'re going to ...
These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown  TechCrunchWe like to think of ourselves as nerds here at TechCrunch, which is why we\'re bringing you this. During the government shutdown, security experts noticed ...
Laundering Money through Fortnite - No, Seriously - Hashed Out by The SSL Store™  Hashed Out by The SSL Store™The game Fortnite is massively popular, with over 200,000,000 players around the world. The game made its developer, Epic Games, $3-billion in 2018.
Deleting Data for GDPR: Could encryption do the trick? - Hashed Out by The SSL Store™  Hashed Out by The SSL Store™After writing exhaustively about GDPR compliance for the better part of 2018, we figured why not kick 2019 off with a little more discussion about the EU\'s ...
From Encrypting the Web to Encrypting the Net: A Technical Deep Dive on Using Certbot to Secure your Mailserver  EFFWe\'ve come a long way since we launched Encrypt the Web, our initiative to onboard the World Wide Web to HTTPS. Not only has Let\'s Encrypt issued over 380 ...
Let\'s Encrypt are enabling the bad guys, and why they should  Security BoulevardLet\'s Encrypt are enabling the bad guys, and why they should kdobieski Thu, 01/03/2019 - 10:48 Enabling the bad guys The problem with making something ...
From Encrypting the Web to Encrypting the Net: 2018 Year in Review  EFFWe saw 2017 tip the scales for HTTPS. In 2018, web encryption continues to improve. EFF has begun to shift its focus towards email security, and the security ...