Setting up a Let’s Encrypt – Free SSL/TLS Certificates on Debian Jessie

 

OS Type: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 (64 bit)
Server Software: Apache
CPU Cores: 2 Cores
Load Average: 0.14, 0.11, 0.09
Disk Space: 83.83 GB (9%) used of 912.86 GB total
Database Size: 12.91 MB
MySQL Version: 5.5.59-0+deb8u1

That’s the current server, so we need to setup SSL https:// for the domains here
radioforjesus.com
www.radioforjesus.com
The new WordPress without www
https://radioforjesus.com/wordpress
https://www.radioforjesus.com/wordpress

while making sure the mp3 directories doesn’t require https

Other reasons to have a https is that Facebook & Slack requires https
https://stackoverflow.com/questions/8574344/what-are-app-domains-in-facebook-apps

Here’s the site we have already setup
https://www.recyclethebible.org/recycle/


So let’s get started:

  1. https://letsencrypt.org/getting-started/
  2. https://community.letsencrypt.org/latest
  3. https://certbot.eff.org/all-instructions/#debian-8-jessie-apache
  4. https://certbot.eff.org/#debianjessie-apache
  5. https://certbot.eff.org/lets-encrypt/debianjessie-apache.html <- security update

#########################################################
#Check debian version
cat /etc/issue
#should returns: Debian GNU/Linux 8 \n \l
#if debian 8 jessie continue
#########################################################

Add backports to your sources.list

see https://backports.debian.org/Instructions/

For jessie

echo 'deb http://ftp.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list
to your sources.list (or add a new file with the “.list” extension to /etc/apt/sources.list.d/)

#Add debian 8 jessie backports to your /etc/apt/sources.list.d/sources.list

#echo 'deb http://ftp.debian.org/debian jessie-backports main' >> /etc/apt/sources.list.d/sources.list

for testing:
echo 'deb http://ftp2.de.debian.org/debian/ testing main' >> /etc/apt/sources.list.d/sources.list

Install backports
&
Certbot

 

#All backports are deactivated by default
#(i.e. the packages are pinned to 100 by using ButAutomaticUpgrades: yes in the Release files.
#If you want to install something from backports run:
apt-get -t stretch-backports install "package"

returns:Reading package lists... Done
E: The value 'stretch-backports' is invalid for APT::Default-Release as such a release is not available in the sources

because we forgot to update

apt-get update

& we have to do the actual “packages” oops

apt-get install certbot python-certbot-apache -t jessie-backports

we run certbot  returns error

Client with the currently selected authenticator does not support any combination of challenges
that will satisfy the CA.

which is fixed by

certbot --authenticator webroot

TLS Security Update

certbot plugin apache used tls which was discontinued , so I used the below to add a new domain to the existing setup here.

certbot certonly --webroot -d radioforjesus.com -d www.radioforjesus.com --webroot-path /home/radioforjesus/public_html


Certbot Apache Plugin

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:

#certbot --apache -d www.recyclethebible.org -d recyclethebible.org

Certbot’s DNS plugins which can be used to automate obtaining a wildcard certificate from Let’s Encrypt’s ACMEv2 server
are NOT available for your OS yet.

Running this command will get a certificate for you
and have Certbot edit your Apache configuration automatically
to serve it. If you’re feeling more conservative and would
like to make the changes to your Apache configuration by hand,
you can use the certonly subcommand:

#certbot --apache certonly


Automating renewal

The Certbot packages on your system come with a cron job
that will renew your certificates automatically before they expire.
Since Let’s Encrypt certificates last for 90 days,
it’s highly advisable to take advantage of this feature.
You can test automatic renewal for your certificates by running this command:

#certbot renew --dry-run

If that appears to be working correctly????,
you can arrange for automatic renewal
by adding a cron or systemd job which runs the following:

certbot renew


Adding a Cron Job

crontab -l

crontab -e

@weekly /home/everyweek.sh


Simple start script

nano /home/everyweek.sh
#!/bin/sh

#test first
letsencrypt renew --dry-run --agree-tos

#Production
#letsencrypt renew >> /var/log/letsencrypt/renew.log
#/usr/bin/certbot renew >> /var/log/letsencrypt/renew.log

service apache2 reload
#EOF

************************
For posting to Slack, get url from Slack for custom hooks to replace the ????? in url

#!/bin/bash

/usr/bin/certbot renew > /home/renew.log

CERTPUG=$(</home/renew.log)

curl -X POST --data-urlencode "payload={\"channel\": \"#general\", \"username\": \"webhookbot\", \"text\": \"Weekly letsencrypt!\n$CERTPUG\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/????????

service apache2 reload

#EOF

 returns

Weekly letsencrypt!

——————————————————————————-
Processing /etc/letsencrypt/renewal/jesus-christ-forums.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/radioforjesus.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.jesus-christ-forums.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.jesus-christ-forums.net.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.radioforjesus.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/jesus-christ-forums.com-0001.conf
——————————————————————————-

The following certs are not due for renewal yet:
/etc/letsencrypt/live/jesus-christ-forums.com/fullchain.pem (skipped)
/etc/letsencrypt/live/radioforjesus.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.jesus-christ-forums.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.jesus-christ-forums.net/fullchain.pem (skipped)
/etc/letsencrypt/live/www.radioforjesus.com/fullchain.pem (skipped)
/etc/letsencrypt/live/jesus-christ-forums.com-0001/fullchain.pem (skipped)
No renewals were attempted.

 


Homepage
https://letsencrypt.org/

Tweets by letsencrypt

Github
https://github.com/letsencrypt/website

The world’s fastest framework for building websites
https://gohugo.io/


Global Secure Sockets Layer (SSL) Certification Market 2021: Market Size, Market Share, Vendors and Key Regions ...  thebusinesstactics.comFull coverage
Secure Sockets Layer (SSL) Certification Market Major Vendor Analysis By Geographic Segments, Organizational ...  Daily Journal Now (blog)Full coverage
Why Does Google Chrome Say Websites Are “Not Secure”?  How-To GeekFull coverage
Increasing Healthcare Cloud Security with Bring-Your-Own-Key  HITInfrastructure.comFull coverage
Secure Sockets Layer (SSL) Certification Market: Business Opportunities, Trends, Challenges & Industry Analysis By ...  Daily Journal Now (blog)Full coverage
Newsmaker Interview: Scott Helme on Securing the Web  ThreatpostFull coverage
Cloudways review  TechRadarFull coverage
Encryption System Found in Genes  Discovery InstituteFull coverage
Sign and Encrypt files using OpenPGP certificates with Kleopatra  TWCN Tech News (blog)Full coverage
EFF\'s STARTTLS Everywhere aims to protect email in transit  TechTargetFull coverage