Let's Encrypt AFTER getting my site up?
12 Replies
mjones
Linode Staff
And a guide on Lets Encrypt here:
We also have guides on installing SSL certificates in Apache, depending on which OS you're using:
That guide for setting up Let's Encrypt. You would now use certbot, but the commands are essentially the same. Take a look at this:
From my experience, their guides for setting up certbot to work with particular operating systems and web server software are pretty good, so that ought to be helpful.
Good luck!
Blake
My suggestion, is to use Dehydrated
Another similar alternative, is acme.sh
@IfThenElse:
In my opinion the official client is a horrible mess and uses too much memory, which in turn causes problems on small servers (1GB, 2GB memory etc). Especially if you run clamd in the same server.
certbot-auto can use a somewhat significant amount of memory compiling dependencies while installing/upgrading.
At other times – all the time, if you install it through a different package -- Certbot doesn't use much memory. It's a nontrivial Python program, but that's not a problem on anything but the smallest systems.
@IfThenElse:
Another problem with the official client, is that it requires root (at least the last time I checked), which is a big no-no.
You can technically run it as another user with enough careful configuration, but it's not a common setup and i wouldn't really recommend trying it.
The propriety of running things as root is debatable, but if you need or want a non-root client, i'd recommend something else.
@IfThenElse:
My suggestion, is to use
, which is a simple bash script that does the same thing and has little memory requirements, and doesn't require root. DehydratedAnother similar alternative, is
, which is another shell client, but offers extra features for more complex configurations. One of the extra features it supports, is Linode's DNS API, thus there is no need to setup a web server. acme.sh
Yeah, those are good clients too.:mrgreen:
but I do have to insist on the memory consumption of cerbot, I've seen many servers run out of memory, which is a significant problem and why so many alternative projects appeared. Maybe with 4GB or more of memory people don't notice the problem…
about running as non-root, indeed it is debatable, but you only have to look at past incidents like the famous wget exploit that allowed the remote server to mess with local files (CVE-2016-4971). Running as non-root offers an extra layer of security, and in case of a breach, the attacker will require a major system-level exploit to actually do any harm to the rest of the system.
@mtjones:
You certainly can. The HTTP and HTTPS versions of your site will have different virtual host configurations, so once everything's set up and running for HTTP you can then set up an SSL certificate and the HTTPS virtual host. We have a guide on virtual hosts in Apache here:
https://www.linode.com/docs/websites/ho … tual-hosts">https://www.linode.com/docs/websites/hosting-a-website#configure-name-based-virtual-hosts And a guide on Lets Encrypt here:
https://www.linode.com/docs/security/ss … rtificates">https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates We also have guides on installing SSL certificates in Apache, depending on which OS you're using:
https://www.linode.com/docs/search?q=ssl+apache
Thanks… I'm using Ubuntu 16.04. Nothing fancy…
How do I even start with making a HTTPS virtual host file? Any tutorials? I've been trying to get my site running on this server, but I haven't had much success. I'm thinking it's because I don't have a properly configured virtual host file for the HTTPS side…
@mnordhoff:
If you're using Apache or Nginx, Certbot can take care of that for you.
Isn't doing that for me… Maybe because I've tested multiple times?
To quote the Let's Encrypt forum:
–
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
--
Edit: Additionally, what is your web server configuration?
@mnordhoff:
I don't think so. Maybe.
To quote the Let's Encrypt forum:
–
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g.
My domain is: bronxify.com
I ran this command: sudo -H ./letsencrypt-auto certonly --apache -d bronxify.com -d
It produced this output: all the .pem files in /etc/letsencrypt/live/bxfy.com/
My web server is (include version): Apache
The operating system my web server runs on is (include version): Ubuntu 16.04 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
--
Edit: Additionally, what is your web server configuration?
@linoxus:
My domain is: bronxify.com
A few certificates were created in months past, and this week:
You should keep the rate limits in mind:
@linoxus:
I ran this command: sudo -H ./letsencrypt-auto certonly –apache -d bronxify.com -d
www.bronxify.com (I believe, I can't go back that far by pressing the up arrow in the terminal…)It produced this output: all the .pem files in /etc/letsencrypt/live/bxfy.com/
If it works (and I guess it does), "./letsencrypt-auto certonly –apache" probably tells Certbot to use the Apache authenticator to validate the domains, issue a certificate, but then not to use the Apache installer to configure Apache to use the certificate. It would leave that step to you.
You could use "./letsencrypt-auto –apache" instead to use both. (If you run it, it should ask you if you want to keep your current certificate, or issue a new one. You should keep the current one.)
If you'd prefer to configure it manually, you can follow any relevant tutorial, such as those by Linode.
The particular settings would be:
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
(With the appropriate directory name substituted.)
For what it's worth, you can check /var/log/letsencrypt/ to see what command was run before, but it's probably not necessary.
Also for what it's worth, you can use "./letsencrypt-auto certificates" to list your current certificates.
@mnordhoff:
You could use "./letsencrypt-auto –apache" instead to use both. (If you run it, it should ask you if you want to keep your current certificate, or issue a new one. You should keep the current one.)
If you'd prefer to configure it manually, you can follow any relevant tutorial, such as those by Linode.
Thanks! This worked!