Setting up a Let’s Encrypt – Free SSL/TLS Certificates on Debian Jessie

 

OS Type: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 (64 bit)
Server Software: Apache
CPU Cores: 2 Cores
Load Average: 0.14, 0.11, 0.09
Disk Space: 83.83 GB (9%) used of 912.86 GB total
Database Size: 12.91 MB
MySQL Version: 5.5.59-0+deb8u1

That’s the current server, so we need to setup SSL https:// for the domains here
radioforjesus.com
www.radioforjesus.com
The new WordPress without www
https://radioforjesus.com/wordpress
https://www.radioforjesus.com/wordpress

while making sure the mp3 directories doesn’t require https

Other reasons to have a https is that Facebook & Slack requires https
https://stackoverflow.com/questions/8574344/what-are-app-domains-in-facebook-apps

Here’s the site we have already setup
https://www.recyclethebible.org/recycle/


So let’s get started:

  1. https://letsencrypt.org/getting-started/
  2. https://community.letsencrypt.org/latest
  3. https://certbot.eff.org/all-instructions/#debian-8-jessie-apache
  4. https://certbot.eff.org/#debianjessie-apache
  5. https://certbot.eff.org/lets-encrypt/debianjessie-apache.html <- security update

#########################################################
#Check debian version
cat /etc/issue
#should returns: Debian GNU/Linux 8 \n \l
#if debian 8 jessie continue
#########################################################

Add backports to your sources.list

see https://backports.debian.org/Instructions/

For jessie

echo 'deb http://ftp.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list
to your sources.list (or add a new file with the “.list” extension to /etc/apt/sources.list.d/)

#Add debian 8 jessie backports to your /etc/apt/sources.list.d/sources.list

#echo 'deb http://ftp.debian.org/debian jessie-backports main' >> /etc/apt/sources.list.d/sources.list

for testing:
echo 'deb http://ftp2.de.debian.org/debian/ testing main' >> /etc/apt/sources.list.d/sources.list

Install backports
&
Certbot

 

#All backports are deactivated by default
#(i.e. the packages are pinned to 100 by using ButAutomaticUpgrades: yes in the Release files.
#If you want to install something from backports run:
apt-get -t stretch-backports install "package"

returns:Reading package lists... Done
E: The value 'stretch-backports' is invalid for APT::Default-Release as such a release is not available in the sources

because we forgot to update

apt-get update

& we have to do the actual “packages” oops

apt-get install certbot python-certbot-apache -t jessie-backports

we run certbot  returns error

Client with the currently selected authenticator does not support any combination of challenges
that will satisfy the CA.

which is fixed by

certbot --authenticator webroot

TLS Security Update

certbot plugin apache used tls which was discontinued , so I used the below to add a new domain to the existing setup here.

certbot certonly --webroot -d radioforjesus.com -d www.radioforjesus.com --webroot-path /home/radioforjesus/public_html


Certbot Apache Plugin

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:

#certbot --apache -d www.recyclethebible.org -d recyclethebible.org

Certbot’s DNS plugins which can be used to automate obtaining a wildcard certificate from Let’s Encrypt’s ACMEv2 server
are NOT available for your OS yet.

Running this command will get a certificate for you
and have Certbot edit your Apache configuration automatically
to serve it. If you’re feeling more conservative and would
like to make the changes to your Apache configuration by hand,
you can use the certonly subcommand:

#certbot --apache certonly


Automating renewal

The Certbot packages on your system come with a cron job
that will renew your certificates automatically before they expire.
Since Let’s Encrypt certificates last for 90 days,
it’s highly advisable to take advantage of this feature.
You can test automatic renewal for your certificates by running this command:

#certbot renew --dry-run

If that appears to be working correctly????,
you can arrange for automatic renewal
by adding a cron or systemd job which runs the following:

certbot renew


Adding a Cron Job

crontab -l

crontab -e

@weekly /home/everyweek.sh


Simple start script

nano /home/everyweek.sh
#!/bin/sh

#test first
letsencrypt renew --dry-run --agree-tos

#Production
#letsencrypt renew >> /var/log/letsencrypt/renew.log
#/usr/bin/certbot renew >> /var/log/letsencrypt/renew.log

service apache2 reload
#EOF

************************
For posting to Slack, get url from Slack for custom hooks to replace the ????? in url

#!/bin/bash

/usr/bin/certbot renew > /home/renew.log

CERTPUG=$(</home/renew.log)

curl -X POST --data-urlencode "payload={\"channel\": \"#general\", \"username\": \"webhookbot\", \"text\": \"Weekly letsencrypt!\n$CERTPUG\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/????????

service apache2 reload

#EOF

 returns

Weekly letsencrypt!

——————————————————————————-
Processing /etc/letsencrypt/renewal/jesus-christ-forums.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/radioforjesus.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.jesus-christ-forums.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.jesus-christ-forums.net.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.radioforjesus.com.conf
——————————————————————————-

——————————————————————————-
Processing /etc/letsencrypt/renewal/jesus-christ-forums.com-0001.conf
——————————————————————————-

The following certs are not due for renewal yet:
/etc/letsencrypt/live/jesus-christ-forums.com/fullchain.pem (skipped)
/etc/letsencrypt/live/radioforjesus.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.jesus-christ-forums.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.jesus-christ-forums.net/fullchain.pem (skipped)
/etc/letsencrypt/live/www.radioforjesus.com/fullchain.pem (skipped)
/etc/letsencrypt/live/jesus-christ-forums.com-0001/fullchain.pem (skipped)
No renewals were attempted.

 


Homepage
https://letsencrypt.org/

Tweets by letsencrypt

Github
https://github.com/letsencrypt/website

The world’s fastest framework for building websites
https://gohugo.io/


Secure Sockets Layer Certification Market to Witness Huge Growth by 2025 | Key Players| ACTALIS, Certum, Comodo, DigiCert  OperanewsnowHTF MI recently introduced study “Global Secure Sockets Layer Certification Market Size, Status and Forecast 2019-2025” with in-depth focused approach on ...
Three Ways You\'re Unknowingly Putting Your Data At Risk  ForbesIn order to protect yourself and your organization from cyber threats, your best defense is being aware of what those threats are and how to quickly prevent them.
Should Big Tech be the sole operator of the internet\'s domain name infrastructure? - AEI  American Enterprise InstituteView related *content*: Technology and Innovation, Telecommunications. Domain names exist so humans can remember the location of websites without needing ...
Secured Socket Layer Certification Market Analysis 2019-2025 by Types, Applications and 16 Key Players (Actalis SpA, Certum, Comodo, DigiCertMore)  ThefeedgraphHome · Secured Socket Layer Certification Market Analysis 2019-2025 by Types, Applications and 16 Key Players (Actalis S.p.A, Certum, Comodo, ...
BlackBerry (BB) Gears Up for Q1 Earnings: What Lies Ahead?  Yahoo FinanceIncreased market traction for reliable products and services will likely help BlackBerry (BB) to record higher revenues in first quarter fiscal 2020.
Walmart and Amazon want to see inside your house. Should you let them?  Los Angeles TimesAmazon and Walmart are offering convenient delivery options for when you\'re not home, but privacy experts are worried about the hidden tradeoffs.
What is Homomorphic Encryption? - Hashed Out by The SSL Store™  Hashed Out by The SSL Store™Imagine if you work in the financial services industry — or, maybe you already do. Every day, your organization handles a lot of personally identifiable ...
Are Free VPNs Safe? - Hashed Out by The SSL Store™  Hashed Out by The SSL Store™Let\'s talk about free VPNs. Typically, when we get asked about whether or not it\'s safe or wise to use a free security product, it\'s free SSL. And to be honest, we\'re ...
Certbot\'s Website Gets a Refresh  EFFCertbot has a brand new website! Today we\'ve launched a major update that will help Certbot\'s users get started even more quickly and easily.Certbot is a free, ...
DNS hijacking grabs headlines, but it\'s just the tip of the iceberg  CSO OnlineDNS pioneer Paul Vixie contemplates missed opportunities for improving internet security and advocates for widespread use of DNSSEC, which he helped ...