SSL Success – How to enable SSL Certificates with Let’s Encrypt

Having created my blog on my VM host and my mail server on a VM, I decided to move my hosting services to a VM. The process was largely smooth and involved setting up and securing PHP myadmin on my new VM first, then setting up zabbix and finally, transferring all the configs and databases to the new system. The last stage was simply me disabling and removing apache.

Having successfully completed the migration and re-configured port forwarding on my router I now have a web server without SSL. Enabling good SSL is now quite easy (and free). There are only a few steps neccessary as the process is largely automatic. On Ubuntu install letsencrypt from the repo:

sudo apt-get install python-letsencrypt-apache

Then generate the certs:

sudo letsencrypt certonly –webroot -w /var/www/html -d
(In the above example I’m working on the mail server, however the same process was true for my web server)

Then enable let’s encrypt on apache:

sudo letsencrypt run –apache –redirect
(This forces apache to use SSL everywhere)

It’s worth explaining that letsencrypt will generate new conf files from your currently active conf files (it will look at /etc/apache2/sites-enabled) and then make new ssl enabled conf files. It will then redirect all http traffic to https.

Add the below line to root’s crontab:

0 5,17 * * * letsencrypt renew >/dev/null 2>&1

This will run letsencrypt every day at 5am and 5pm to check that the certificate is valid. To edit crontab as root use the command:

sudo crontab -e

At this point, restart apache (sudo service apache2 restart) will then work with SSL only.

A final note/step on my mail server: I had attempted to set up postfix and dovecot with the new ssl certificates. Dovecot was easy enough to configure. I edited the /etc/dovecot/conf.d/10-ssl.conf file – specifically, setting the following options to:

ssl_cert = </etc/letsencrypt/live/
ssl_key = </etc/letsencrypt/live/

Note that the latest ssl certificate and keys will be placed into the ‘live’ folder.

I was as yet, unable to configure Postfix with the new SSL certificates using a similar method. It is still using the snake-oil certificates. This however is only an issue when setting up a mail account for the first time on a PC or device and the work around is easy enough – force the client to accept the certificates. More importantly when accessing the webmail the client is faced with a green/happy padlock indicating that the site is secure, rather than a dire warning of a security breech.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.