Updating SSL Certificates with ‘certbot’

I found the easiest way to update certificates with certbot (on my server) is to temporarily stop apache / nginx and to run the following command. Once you have the congratulations line, you can restart your web services.</p>

$ sudo systemctl stop nginx
$ sudo certbot certonly --standalone --email [EMAIL-ADDRESS] -d thebytes.net,www.thebytes.net,[ALL OTHER SUBDOMAINS]

Obtaining SSL Encryption Certificates for Apache on Arch Linux

This has been an issue for me for quite some time. I have been trying to get SSL working and get valid certificates so that I could secure a few things and offer better security. Additionally, these days, having secure http is an added benefit. Most web-based server functions prefer the use of https over http for the extra security as well. Here is how I got SSL and the proper encryption installed on Arch Linux with Apache. First, Install what you need (assuming that you already have LAMP stack.

$ yaourt -S certbot certbot-apache acme-tiny letsencrypt-cli openssl

Next, you need to obtain the certificates. Also, I port forwarded 80 and 443 through the router to the server. This would be a good time to make sure that port forward is good or else this won’t work properly.

# certbot certonly --email your.email@address.com --webroot -w /srv/http/site1/ -d www.website.com

If you have received the congratulations message, then you should have certificates in the designated folder. (Mine were located in /etc/letsencrypt/live/inject.run/fullchain.pem). Now we have to activate/use the certificates through Apache. Edit <strong>/etc/httpd/conf/httpd.conf</strong> and uncomment the following (I use <strong>nano</strong> and <strong>ctrl+w</strong> to search):

LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf

and, while you’re in httpd.conf, search for <u>Listen 80</u> and add <u>Listen 443</u> right below that line. Now, this might seem like a duplication of effort, but it was the only way I got this to work:

In /etc/httpd/conf/extra/httpd-ssl.conf, find the <strong>Virtual Host Context</strong> section, and add your VirtualHost server information as follows:

DocumentRoot "/srv/http/site1"
ServerName site1.com:443
ServerAdmin YOUR.EMAIL@ADDRESS.COM
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"

SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/site1/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/site1/privkey.pem"

#SSLCertificateChainFile "/etc/letsencrypt/live/site1/chain.pem"
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"

Note, the only two files you have to reference from your certificates are fullchain and privkey. And, the last thing before you restart all of your services is to add a separate VirtualServer in your httpdvhosts.conf file. Edit:  <strong>/etc/httpd/conf/extra/httpd-vhost.conf</strong> and add a second VirtualHost for the same website but with <strong>*:443</strong> instead of <strong>*:80</strong>. Additionally, you are going to need to add your certificate information as well. Look below as an example:

ServerName www.site1.com

OTHER OPTIONS FOR VHOST HERE IF NEEDED

SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/site1/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/site1/privkey.pem"

Notice I added the SSL stuff in the second VirtualHost entry. Now, if you chose, you can remove everything from the non-encrypted VirtualHost and add the following line below the ServerName to redirect all traffic to secure connections.

Redirect / https://www.site1.com/

Hopefully, this helps get your SSL encryption working.