Setting up a Let’s Encrypt – Free SSL/TLS Certificates on Debian Jessie

 

OS Type: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 (64 bit)
Server Software: Apache
CPU Cores: 2 Cores
Load Average: 0.14, 0.11, 0.09
Disk Space: 83.83 GB (9%) used of 912.86 GB total
Database Size: 12.91 MB
MySQL Version: 5.5.59-0+deb8u1

That’s the current server, so we need to setup SSL https:// for the domains here
radioforjesus.com
www.radioforjesus.com
The new WordPress without www
https://radioforjesus.com/wordpress
https://www.radioforjesus.com/wordpress

while making sure the mp3 directories doesn’t require https

Other reasons to have a https is that Facebook & Slack requires https
https://stackoverflow.com/questions/8574344/what-are-app-domains-in-facebook-apps

Here’s the site we have already setup
https://www.recyclethebible.org/recycle/


So let’s get started:

  1. https://letsencrypt.org/getting-started/
  2. https://community.letsencrypt.org/latest
  3. https://certbot.eff.org/all-instructions/#debian-8-jessie-apache
  4. https://certbot.eff.org/#debianjessie-apache
  5. https://certbot.eff.org/lets-encrypt/debianjessie-apache.html <- security update

#########################################################
#Check debian version
cat /etc/issue
#should returns: Debian GNU/Linux 8 \n \l
#if debian 8 jessie continue
#########################################################

Add backports to your sources.list

see https://backports.debian.org/Instructions/

For jessie

echo 'deb http://ftp.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list
to your sources.list (or add a new file with the “.list” extension to /etc/apt/sources.list.d/)

#Add debian 8 jessie backports to your /etc/apt/sources.list.d/sources.list

#echo 'deb http://ftp.debian.org/debian jessie-backports main' >> /etc/apt/sources.list.d/sources.list

for testing:
echo 'deb http://ftp2.de.debian.org/debian/ testing main' >> /etc/apt/sources.list.d/sources.list

Install backports
&
Certbot

 

#All backports are deactivated by default
#(i.e. the packages are pinned to 100 by using ButAutomaticUpgrades: yes in the Release files.
#If you want to install something from backports run:
apt-get -t stretch-backports install "package"

returns:Reading package lists... Done
E: The value 'stretch-backports' is invalid for APT::Default-Release as such a release is not available in the sources

because we forgot to update

apt-get update

& we have to do the actual “packages” oops

apt-get install certbot python-certbot-apache -t jessie-backports

we run certbot  returns error

Client with the currently selected authenticator does not support any combination of challenges
that will satisfy the CA.

which is fixed by

certbot --authenticator webroot

TLS Security Update

certbot plugin apache used tls which was discontinued , so I used the below to add a new domain to the existing setup here.

certbot certonly --webroot -d radioforjesus.com -d www.radioforjesus.com --webroot-path /home/radioforjesus/public_html


Certbot Apache Plugin

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:

#certbot --apache -d www.recyclethebible.org -d recyclethebible.org

Certbot’s DNS plugins which can be used to automate obtaining a wildcard certificate from Let’s Encrypt’s ACMEv2 server
are NOT available for your OS yet.

Running this command will get a certificate for you
and have Certbot edit your Apache configuration automatically
to serve it. If you’re feeling more conservative and would
like to make the changes to your Apache configuration by hand,
you can use the certonly subcommand:

#certbot --apache certonly


Automating renewal

The Certbot packages on your system come with a cron job
that will renew your certificates automatically before they expire.
Since Let’s Encrypt certificates last for 90 days,
it’s highly advisable to take advantage of this feature.
You can test automatic renewal for your certificates by running this command:

#certbot renew --dry-run

If that appears to be working correctly????,
you can arrange for automatic renewal
by adding a cron or systemd job which runs the following:

certbot renew


Adding a Cron Job

crontab -l

crontab -e

@weekly /home/everyweek.sh


Simple start script

nano /home/everyweek.sh
#!/bin/sh

#test first
letsencrypt renew --dry-run --agree-tos

#Production
#letsencrypt renew >> /var/log/letsencrypt/renew.log
#/usr/bin/certbot renew >> /var/log/letsencrypt/renew.log

service apache2 reload
#EOF

************************
For posting to Slack, get url from Slack for custom hooks to replace the ????? in url

#!/bin/bash

/usr/bin/certbot renew > /home/renew.log

CERTPUG=$(</home/renew.log)

curl -X POST --data-urlencode "payload={\"channel\": \"#general\", \"username\": \"webhookbot\", \"text\": \"Weekly letsencrypt!\n$CERTPUG\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/????????

service apache2 reload

#EOF

 returns

Weekly letsencrypt!

——————————————————————————-
Processing /etc/letsencrypt/renewal/jesus-christ-forums.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/radioforjesus.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.jesus-christ-forums.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.jesus-christ-forums.net.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.radioforjesus.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/jesus-christ-forums.com-0001.conf
——————————————————————————-

The following certs are not due for renewal yet:
/etc/letsencrypt/live/jesus-christ-forums.com/fullchain.pem (skipped)
/etc/letsencrypt/live/radioforjesus.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.jesus-christ-forums.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.jesus-christ-forums.net/fullchain.pem (skipped)
/etc/letsencrypt/live/www.radioforjesus.com/fullchain.pem (skipped)
/etc/letsencrypt/live/jesus-christ-forums.com-0001/fullchain.pem (skipped)
No renewals were attempted.

 


Homepage
https://letsencrypt.org/

Tweets by letsencrypt

Github
https://github.com/letsencrypt/website

The world’s fastest framework for building websites
https://gohugo.io/


Secure Sockets Layer (SSL) Certification Market Analysis, Growth, Size, Share, Trends, Forecast, Supply Demand and ...  managementjournal24.comFull coverage
Secure Sockets Layer (SSL) Certification Market Analysis including Size, Share, Key Drivers, Growth Opportunities and ...  Market JournalLeading Research Report of Secure Sockets Layer (SSL) Certification Market 2017: Emerging Trends, Technology ...  mymarketgazette.comSecure Sockets Layer (SSL) Certification Market Production, Source & Consumption Analysis With Forecast To 2021  advertisingmarket24.comFull coverage
Fastly\'s Platform TLS enables secure browsing at scale  ITWebFull coverage
Secure Sockets Layer (SSL) Certification Market Analysis, Growth, Size, Share, Trends, Forecast, Supply Demand to ...  IDA ReportFull coverage
Secure Sockets Layer (SSL) Certification Market 2017 analysis: Market size, share production and consumption ...  marketresearchday.comFull coverage
HTTPSの証明書を無料で発行するLet\'s Encryptが三歳の誕生日、これまで380Mの証明書を発行  TechCrunch JapanFull coverage
Three years later, Let\'s Encrypt has issued over 380 million HTTPS certificates  TechCrunchFull coverage
Does using certificalte for a wrong domain affect connection security?  SitePointFull coverage
Fastly Launches New Security Solution to Help Scale Secure Modern Browsing Experiences  GlobeNewswire (press release)Full coverage
British Airways hack was by same group that compromised Ticketmaster  CSO OnlineBritish Airways Fell Victim To Card Scraping Attack  BleepingComputerFull coverage