Setting up a Let’s Encrypt – Free SSL/TLS Certificates on Debian Jessie

 

OS Type: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 (64 bit)
Server Software: Apache
CPU Cores: 2 Cores
Load Average: 0.14, 0.11, 0.09
Disk Space: 83.83 GB (9%) used of 912.86 GB total
Database Size: 12.91 MB
MySQL Version: 5.5.59-0+deb8u1

That’s the current server, so we need to setup SSL https:// for the domains here
radioforjesus.com
www.radioforjesus.com
The new WordPress without www
https://radioforjesus.com/wordpress
https://www.radioforjesus.com/wordpress

while making sure the mp3 directories doesn’t require https

Other reasons to have a https is that Facebook & Slack requires https
https://stackoverflow.com/questions/8574344/what-are-app-domains-in-facebook-apps

Here’s the site we have already setup
https://www.recyclethebible.org/recycle/


So let’s get started:

  1. https://letsencrypt.org/getting-started/
  2. https://community.letsencrypt.org/latest
  3. https://certbot.eff.org/all-instructions/#debian-8-jessie-apache
  4. https://certbot.eff.org/#debianjessie-apache
  5. https://certbot.eff.org/lets-encrypt/debianjessie-apache.html <- security update

#########################################################
#Check debian version
cat /etc/issue
#should returns: Debian GNU/Linux 8 \n \l
#if debian 8 jessie continue
#########################################################

Add backports to your sources.list

see https://backports.debian.org/Instructions/

For jessie

echo 'deb http://ftp.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list
to your sources.list (or add a new file with the “.list” extension to /etc/apt/sources.list.d/)

#Add debian 8 jessie backports to your /etc/apt/sources.list.d/sources.list

#echo 'deb http://ftp.debian.org/debian jessie-backports main' >> /etc/apt/sources.list.d/sources.list

for testing:
echo 'deb http://ftp2.de.debian.org/debian/ testing main' >> /etc/apt/sources.list.d/sources.list

Install backports
&
Certbot

 

#All backports are deactivated by default
#(i.e. the packages are pinned to 100 by using ButAutomaticUpgrades: yes in the Release files.
#If you want to install something from backports run:
apt-get -t stretch-backports install "package"

returns:Reading package lists... Done
E: The value 'stretch-backports' is invalid for APT::Default-Release as such a release is not available in the sources

because we forgot to update

apt-get update

& we have to do the actual “packages” oops

apt-get install certbot python-certbot-apache -t jessie-backports

we run certbot  returns error

Client with the currently selected authenticator does not support any combination of challenges
that will satisfy the CA.

which is fixed by

certbot --authenticator webroot

TLS Security Update

certbot plugin apache used tls which was discontinued , so I used the below to add a new domain to the existing setup here.

certbot certonly --webroot -d radioforjesus.com -d www.radioforjesus.com --webroot-path /home/radioforjesus/public_html


Certbot Apache Plugin

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:

#certbot --apache -d www.recyclethebible.org -d recyclethebible.org

Certbot’s DNS plugins which can be used to automate obtaining a wildcard certificate from Let’s Encrypt’s ACMEv2 server
are NOT available for your OS yet.

Running this command will get a certificate for you
and have Certbot edit your Apache configuration automatically
to serve it. If you’re feeling more conservative and would
like to make the changes to your Apache configuration by hand,
you can use the certonly subcommand:

#certbot --apache certonly


Automating renewal

The Certbot packages on your system come with a cron job
that will renew your certificates automatically before they expire.
Since Let’s Encrypt certificates last for 90 days,
it’s highly advisable to take advantage of this feature.
You can test automatic renewal for your certificates by running this command:

#certbot renew --dry-run

If that appears to be working correctly????,
you can arrange for automatic renewal
by adding a cron or systemd job which runs the following:

certbot renew


Adding a Cron Job

crontab -l

crontab -e

@weekly /home/everyweek.sh


Simple start script

nano /home/everyweek.sh
#!/bin/sh

#test first
letsencrypt renew --dry-run --agree-tos

#Production
#letsencrypt renew >> /var/log/letsencrypt/renew.log
#/usr/bin/certbot renew >> /var/log/letsencrypt/renew.log

service apache2 reload
#EOF

************************
For posting to Slack, get url from Slack for custom hooks to replace the ????? in url

#!/bin/bash

/usr/bin/certbot renew > /home/renew.log

CERTPUG=$(</home/renew.log)

curl -X POST --data-urlencode "payload={\"channel\": \"#general\", \"username\": \"webhookbot\", \"text\": \"Weekly letsencrypt!\n$CERTPUG\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/????????

service apache2 reload

#EOF

 returns

Weekly letsencrypt!

——————————————————————————-
Processing /etc/letsencrypt/renewal/jesus-christ-forums.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/radioforjesus.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.jesus-christ-forums.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.jesus-christ-forums.net.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.radioforjesus.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/jesus-christ-forums.com-0001.conf
——————————————————————————-

The following certs are not due for renewal yet:
/etc/letsencrypt/live/jesus-christ-forums.com/fullchain.pem (skipped)
/etc/letsencrypt/live/radioforjesus.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.jesus-christ-forums.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.jesus-christ-forums.net/fullchain.pem (skipped)
/etc/letsencrypt/live/www.radioforjesus.com/fullchain.pem (skipped)
/etc/letsencrypt/live/jesus-christ-forums.com-0001/fullchain.pem (skipped)
No renewals were attempted.

 


Homepage
https://letsencrypt.org/

Tweets by letsencrypt

Github
https://github.com/letsencrypt/website

The world’s fastest framework for building websites
https://gohugo.io/


Global Certificate Authority Market Worth Over USD 114 million by 2024: ZMR Report  Daily News InsightsZion Market Research published a new 110+ pages industry research “Certificate Authority Market by Component (Certificate (SSL Certificate, Secure Email ...
DuoCircle Sponsoring Open Certificate Authority Let\'s Encrypt for a Second Year - Press Release  Digital JournalSan Diego, CA – March 22, 2019: DuoCircle is an integrated, cloud-based email security solutions company. DuoCircle is sponsoring Let\'s Encrypt for the ...
How to encrypt files with FinalCrypt  TechRepublicIf you\'re looking for an encryption tool that offers a unique approach and a well-designed GUI, FinalCrypt might be just the tool.
MyPillow and Amerisleep wake up to Magecart card theft nightmare  ZDNetThe US firms may have a few sleepless nights over the security breaches.
Hostpoint grows FY revenues 12 percent  TelecompaperSwiss web hosting provider Hostpoint generated sales of CHF 20 million in 2018, a 12-percent increase. Hostpoint said it strengthened its position as a leading ...
Jelastic PaaS Light Edition Upgrade for Installation Across Multiple Google Cloud Zones  PR WebPALO ALTO, CA (PRWEB) March 20, 2019 -- Jelastic Inc., innovative software company that provides a Multi-Cloud DevOps PaaS, upgraded automated ...
This startup\'s holy grail of encryption could unlock our data dilemma  Fast CompanyA company founded by one of cryptography\'s heavyweights is making waves with a long-awaited approach to the data privacy problem.
How important is a fast loading Website?  MyHostNews.comDid you know that the 14 top mobile retail sites in the industry average only a 4.73 second response time? Not only that but Amazon leads them all with a ...
E-Mail and Text Messages - Delayed?  750 KXLThe Internet moves at the speed of light and e-mails and text messages should be instant. But every once in a while that important text shows up a day or two ...
Steamboat police keep radios public amid statewide encryption trend  Steamboat Pilot & TodaySTEAMBOAT SPRINGS — The Denver Police Department will soon be among more than two dozen agencies across Colorado that encrypts all of their radio ...