How To Secure Apache with Let's Encrypt on Debian 8

Step 1: Install Certbot, the Let's Encrypt Client

echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list

sudo apt-get update

Note: When using backports, it is recommended to only install the specific packages you require, rather than using the repository for general updates. Backport packages have fewer compatibility guarantees than the main repositories.

To help avoid accidentally installing or updating packages using this repository, you must explicitly pass the -t flag with the repository name to install packages from backports.

sudo apt-get install python-certbot-apache -t jessie-backports

Step 2: Set Up the Apache ServerName and ServerAlias

 

sudo nano /etc/apache2/sites-available/000-default.conf

For our example, we are using example.com as our canonical name and http://www.example.com as an alias. When we set these directives, it will look like this:

<VirtualHost *:80>
    . . .
    ServerName example.com
    ServerAlias http://www.example.com
    . . .
</VirtualHost>

When you are finished, save and close the file by holding CTRL and pressing X. Type Y and hit Enter to save the file.

Check the configuration file to catch any syntax errors that may have been introduced by your changes:

• sudo apache2ctl configtest

Look for this line in the output:

Syntax OK

If the file passed the syntax test, restart your Apache service to implement your changes:

• sudo systemctl restart apache2

Now that Apache is configured with your domain names, we can use certbot to obtain our SSL certificates.

Step 3: Adjusting the Firewall

If you have a firewall enabled, you'll need to adjust the settings to allow for SSL traffic. The required procedure depends on the firewall software you are using. If you do not have a firewall configured currently, feel free to skip forward.

UFW

If you are using ufw, you can see the current setting by typing:

• sudo ufw status

It may look like this, meaning that only SSH traffic is allowed to the web server:

Status: active To Action From -- ------ ---- SSH ALLOW Anywhere SSH (v6) ALLOW Anywhere (v6)

To additionally let in HTTP and HTTPS traffic, we can allow the "WWW Full" application profile:

• sudo ufw allow 'WWW Full'

Your status should look like this now:

• sudo ufw status

Status: active To Action From -- ------ ---- SSH ALLOW Anywhere WWW Full ALLOW Anywhere SSH (v6) ALLOW Anywhere (v6) WWW Full (v6) ALLOW Anywhere (v6)

HTTP and HTTPS requests should now be accepted by your server.

 

Step 4: Set Up the SSL Certificate

Generating the SSL Certificate for Apache using the Let's Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains in our Apache configuration.

To execute the interactive installation and obtain a certificate for all of the domains defined in your Apache configuration, type:

• sudo certbot --apache

The certbot utility will evaluate your Apache configuration to find the domains that should be covered with the requested certificate. You will be able to deselect any defined domains that you do not wish to be covered under the certificate.

You will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or forcing all requests to redirect to https. It is usually safest to require https, unless you have a specific need for unencrypted http traffic.

When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don't forget to replace example.com with your domain):

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

The test may take a few minutes to complete. You should now be able to access your website using a https prefix.

Step 5: Set Up Auto Renewal

Let's Encrypt certificates are valid for 90 days, but it's recommended that you renew the certificates every 60 days to allow a margin of error. The certbot client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

To trigger the renewal process for all installed domains, you should run:

• sudo certbot renew

Because we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. The output should look similar to this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/example.com.conf ------------------------------------------------------------------------------- Cert not yet due for renewal The following certs are not due for renewal yet: /etc/letsencrypt/live/example.com/fullchain.pem (skipped) No renewals were attempted.

Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal should be valid for all domains included in this certificate.

A practical way to ensure your certificates won't get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.

Let's edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:

• sudo crontab -e

You may be prompted to select an editor:

no crontab for root - using an empty one Select an editor. To change later, run 'select-editor'. 1. /bin/nano <---- easiest 2. /usr/bin/vim.basic 3. /usr/bin/vim.tiny Choose 1-3 [1]:

Unless you're more comfortable with vim, press Enter to use nano, the default.

Include the following content at the end of the crontab, all in one line:

. . . 30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

Save and exit. This will create a new cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log

相關連結

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8