February 20, 2017 tim 0Comment
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). More details can be found here https://letsencrypt.org/how-it-works/

This tutorial assumes you already have an existing website hosted with FreeBSD and apache24. I will be posting another tutorial on using Let’s encrypt for nginx shortly.

We start by installing https://certbot.eff.org/

# pkg install -y py27-certbot

Request and download an SSL certificate by running the following command

# certbot certonly

Select option 1) Place files in webroot directory (webroot) and answer the remaining questions.

our certificate wil be saved to /usr/local/etc/letsencrypt/live/ourdomain.tld

or in my case /usr/local/etc/letsencrypt/live/www.debarbora.com.

Next we will need to configure our apache vhost to use our newly downloaded cert and force all http connections over https by editing your httpd.conf file (/usr/local/etc/apache24/httpd.conf) or your vhost config file if stored outside of httpd.conf.

 
   ServerName debarbora.com 
   ServerAlias www.debarbora.com
   DocumentRoot /usr/local/www/debarbora
   Redirect permanent / https://www.debarbora.com/
   

    
    ServerAdmin youremail@emailser.com
    # Directory for the file stored
    DocumentRoot "/usr/local/www/debarbora"
    #Domain
    ServerName debarbora.com
    ServerAlias www.debarbora.com
    ErrorLog "/var/log/debarbora.com.error.log"
    CustomLog "/var/log/debarbora.com.access.log" common

    SSLEngine on
    SSLCertificateFile /usr/local/etc/letsencrypt/live/www.debarbora.com/cert.pem
    SSLCertificateChainFile /usr/local/etc/letsencrypt/live/www.debarbora.com/chain.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/www.debarbora.com/privkey.pem    

    #enable Forward Secrecy,
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384   EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA :!RC4: !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
# the list of ciphersuits should all fit on the same line

    # this part is specific to my website 
    <Directory "/usr/local/www/debarbora">
    Options Indexes FollowSymLinks MultiViews
    Options All
    AllowOverride All
    Require all granted
    
    

Restart apache

# service apache24 restart

Note: if you get an error such as “Invalid command ‘SSLEngine’, perhaps misspelled or defined by a module not included in the server configuration” uncomment the line LoadModule ssl_module libexec/apache24/mod_ssl.so in your httpd.conf and try to restart apache again.

Let’s Encrypt certificates last for 90 days before expiring, so we will need create a simple bash script that utilizes the certbot renew option. I like to keep all of my scripts in /root/scripts, create this directory if you don’t already have a location for your bash scripts.

# mkdir /root/scripts
# cd /root/scripts

lets create our bash script

# nano renew_lets_encrypt_certs.sh

Add this

/usr/local/bin/certbot renew certbot renew 

Save & exit
Make the script executable

# chmod +x renew_lets_encrypt_certs.sh

Test the script to make sure it runs

# sh renew_lets_encrypt_certs.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/www.ypcr.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /usr/local/etc/letsencrypt/live/www.ypcr.com/fullchain.pem (skipped)
No renewals were attempted.

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/www.debarbora.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /usr/local/etc/letsencrypt/live/www.debarbora.com/fullchain.pem (skipped)
No renewals were attempted.

now we will setup a cron job to run daily; let’s set nano as the default editor for easy editing

# setenv EDITOR /usr/local/bin/nano

open crontab

# crontab -e

Add the following lines

certbot = /usr/local/bin/certbot

@daily sh /root/scripts/./renew_lets_encrypt_certs.sh

Your site should now be accessible over https and any http requests made to your site should be redirected to https. If it’s working great! However it’s not enough for SSL to be configured for your site, it needs to be configured correctly, lets head over to https://www.ssllabs.com/ssltest/ and test our configuration

You want at-least an A, or an A plus, if you score a B or lower, ssllabs will provide easy to follow documentation so you can up the score.

Enjoy