How to use letsencrypt free ssl certificate for all subdomains ?

Letsencrypt is an organisation that issues free SSL certificate for web applications. SSL certificate is used to protect the data in motion from client-server vice-versa. If we take any website the first thing we should do is to configure ssl certificate for that website. Generating and renewing letsencrypt ssl certificate is pity much simple and can be done with very few commands. Let us consider we have an instance running in any cloud provider with apache as web server, the configuration procedure is as follows..

Note: Always we should remember that letsencrypt needs a domain name to generate certificates. For internal applications and IP address we can use self-signed certificates.

OS: ubuntu:18.04

Install Apache:

sudo apt-get install apache2

We use certbot-auto as a tool to install and renew certificates automatically.

Cloning from github amd run the certbot

git clone https://github.com/certbot/certbot
cd certbot

Installing certificates:

./certbot-auto certonly -d example.reborninfosec.com

The above command is trying to generate certificate only for example.reborninfosec.com subdomain. Certificates are stored in /etc/letsencrypt/live/example.reborninfosec.com/ directory.

To use the above certificate for a apache, the virtual host configuration is like below..

<VirtualHost *:80>  #To listen on port 80 and redirect to port 443
  ServerName example.reborninfosec.com
  RewriteEngine On
  RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]
RewriteCond %{SERVER_NAME} = example.reborninfosec.com

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443> #listening in port 443 over ssl
  ServerName example.reborninfosec.com
  DocumentRoot /var/www/example
  <Directory "/var/www/example/">
   Require all granted
   AllowOverride All
  </Directory>
  ProxyRequests off

SSLCertificateFile /etc/letsencrypt/live/example.reborninfosec.com/fullchain.pem #Public key for CA
SSLCertificateKeyFile /etc/letsencrypt/live/example.reborninfosec.com/privkey.pem #Private key to encrypt
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Restarting the apache server results in serving https website using letsencrypt ssl certificate.

General errors while installing:

  • Letsencrypt server unable to access our cloud instance - Check the firewall settings
  • Letsencrypt server unable to access our cloud instance - Check the dns settings(Ping example.reborninfosec.com should hit original server)'
  • Error (cannot generate cert) - We can generate only 5 certificates a week for single domain Letsencrypt certificate is only valid for three months. To renew it automatically we should add the letsencrypt certbot command to the crontab as follows.. 0 1 * * * certbot-auto renew --quiet --post-hook "service apache2 restart" Everyday at 1 am this will check our certificate expiry date and renews automatically.

Last update: June 3, 2020