My environment and requirements<\/h2>\n\n\n\n\n- Raspberry Pi 3 model B<\/li>\n\n\n\n
- Ubuntu 20.04 LTS<\/li>\n\n\n\n
- Apache 2.4.41<\/li>\n\n\n\n
- Domain name<\/li>\n\n\n\n
- Access rights to manage DNS records (TXT)<\/li>\n<\/ul>\n\n\n\n
High level step<\/h2>\n\n\n\n\n- Install certbot.<\/li>\n\n\n\n
- Run certbot command (with DNS challenge option).<\/li>\n\n\n\n
- Add TXT record to DNS as requested.<\/li>\n\n\n\n
- Let Let’s Encrypt complete certificate installation.<\/li>\n\n\n\n
- Enable SSL in Apache.<\/li>\n\n\n\n
- Change TCP port in Apache config file to 443 and add other settings for SSL.<\/li>\n<\/ol>\n\n\n\n
Detailed step<\/h2>\n\n\n\nObtain certificate (CLI + DNS record)<\/h3>\n\n\n\n
First, you need to install certbot to install a certificate. In the first line below you execute elevated bash so you don’t need to add sudo<\/code> every time. $<\/code> is normal user shell prompt and # <\/code>is administrator level shell prompt. Others are output examples.<\/p>\n\n\n\n$ sudo bash\n# apt-get update\n# apt-get install certbot<\/code><\/pre><\/div>\n\n\n\nIn my case, I submitted requests for *.dev.peddals.com for all dev sites and the top level domain — I may post another article, but on my mac DNSmasq is running as a local DNS server, and access to *.dev.peddals.com is diverted to my Raspberry Pi Apache server.<\/p>\n\n\n\n
# certbot certonly --manual --preferred-challenges dns-01 -m mail@example.com -d '*.dev.peddals.com' -d peddals.com\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\nPlugins selected: Authenticator manual, Installer None\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease read the Terms of Service at\nhttps:\/\/letsencrypt.org\/documents\/LE-SA-v1.3-September-21-2022.pdf. You must\nagree in order to register with the ACME server at\nhttps:\/\/acme-v02.api.letsencrypt.org\/directory\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(A)gree\/(C)ancel: A\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nWould you be willing to share your email address with the Electronic Frontier\nFoundation, a founding partner of the Let's Encrypt project and the non-profit\norganization that develops Certbot? We'd like to send you email about our work\nencrypting the web, EFF news, campaigns, and ways to support digital freedom.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(Y)es\/(N)o: Y<\/code><\/pre><\/div>\n\n\n\nAfter the above the command froze for some reason. Aborted by ctrl + C and rerunthe certbot<\/code> to proceed the process.<\/p>\n\n\n\nI think sharing email address (above) is NOT required however, sharing IP address IS required, so answer Y(es) to the below question.<\/p>\n\n\n\n
Saving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\nPlugins selected: Authenticator manual, Installer None\nObtaining a new certificate\nPerforming the following challenges:\ndns-01 challenge for dev.peddals.com\ndns-01 challenge for peddals.com\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nNOTE: The IP of this machine will be publicly logged as having requested this\ncertificate. If you're running certbot in manual mode on a machine that is not\nyour server, please ensure you're okay with that.\n\nAre you OK with your IP being logged?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(Y)es\/(N)o: Y\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease deploy a DNS TXT record under the name\n_acme-challenge.dev.peddals.com with the following value:\n\n(your value here)\n\nBefore continuing, verify the record is deployed.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPress Enter to Continue<\/code><\/pre><\/div>\n\n\n\nAdd the hostname and value as a TXT record in your DNS server. Sorry for the Japanese characters but the below reads from the top to the bottom: Host name, Type, Value, TTL, Priority.<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.peddals.com\/wp-content\/uploads\/2023\/11\/image-3.png\")
When you copy-paste, don’t include the TLD if it’s pre-populated.<\/figcaption><\/figure>\n\n\n\nOnce added, go back to the CLI and hit the enter key. In my case I added the top level domain well, so there’s another challenge.<\/p>\n\n\n\n
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease deploy a DNS TXT record under the name\n_acme-challenge.peddals.com with the following value:\n\n(your value here)\n\nBefore continuing, verify the record is deployed.\n(This must be set up in addition to the previous challenges; do not remove,\nreplace, or undo the previous challenge tasks yet. Note that you might be\nasked to create multiple distinct TXT records with the same name. This is\npermitted by DNS standards.)\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPress Enter to Continue\n<\/code><\/pre><\/div>\n\n\n\nDo the similar thing on your DNS server then hit the enter key to complete the process as below.<\/p>\n\n\n\n
Waiting for verification...\nCleaning up challenges\n\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at:\n \/etc\/letsencrypt\/live\/dev.peddals.com\/fullchain.pem\n Your key file has been saved at:\n \/etc\/letsencrypt\/live\/dev.peddals.com\/privkey.pem\n Your cert will expire on 2024-02-10. To obtain a new or tweaked\n version of this certificate in the future, simply run certbot\n again. To non-interactively renew *all* of your certificates, run\n "certbot renew"\n - If you like Certbot, please consider supporting our work by:\n\n Donating to ISRG \/ Let's Encrypt: https:\/\/letsencrypt.org\/donate\n Donating to EFF: https:\/\/eff.org\/donate-le<\/code><\/pre><\/div>\n\n\n\nPath to your certs and key are written under IMPORTANT NOTES (if you forget the paths, search them in \/etc\/letsencrypt\/live\/<\/code>). Let’s encrypt certs expire every 90 days, and you have to renew. Files are symbolic link to actual certs and key to avoid tasks to update Apache config file.<\/p>\n\n\n\n# ll \/etc\/letsencrypt\/live\/dev.peddals.com\/\ntotal 12\ndrwxr-xr-x 2 root root 4096 Nov 12 19:00 .\/\ndrwx------ 3 root root 4096 Nov 12 19:00 ..\/\n-rw-r--r-- 1 root root 692 Nov 12 19:00 README\nlrwxrwxrwx 1 root root 39 Nov 12 19:00 cert.pem -> ..\/..\/archive\/dev.peddals.com\/cert1.pem\nlrwxrwxrwx 1 root root 40 Nov 12 19:00 chain.pem -> ..\/..\/archive\/dev.peddals.com\/chain1.pem\nlrwxrwxrwx 1 root root 44 Nov 12 19:00 fullchain.pem -> ..\/..\/archive\/dev.peddals.com\/fullchain1.pem\nlrwxrwxrwx 1 root root 42 Nov 12 19:00 privkey.pem -> ..\/..\/archive\/dev.peddals.com\/privkey1.pem<\/code><\/pre><\/div>\n\n\n\nEnable SSL in Apache and edit site config file<\/h3>\n\n\n\n
Enable SSL in Apache by the following command Apache. The last 2 commands are to restart and check the status of Apache.<\/p>\n\n\n\n
# a2enmod ssl\nConsidering dependency setenvif for ssl:\nModule setenvif already enabled\nConsidering dependency mime for ssl:\nModule mime already enabled\nConsidering dependency socache_shmcb for ssl:\nEnabling module socache_shmcb.\nEnabling module ssl.\nSee \/usr\/share\/doc\/apache2\/README.Debian.gz on how to configure SSL and create self-signed certificates.\nTo activate the new configuration, you need to run:\n systemctl restart apache2\n# systemctl restart apache2\n# systemctl status apache2<\/code><\/pre><\/div>\n\n\n\nA change and additions to a http (port: 80) site config file are as below. Change the port from 80 to 443 and add SSL related settings. As this (my case) is only for dev sites in a closed environment, no other security settings such as http headers are added. Since HTTPS preload and includeSubDomains are included in my HSTS policy, there’s no need to have redirection from port 80.<\/p>\n\n\n\n
<VirtualHost *:443>\n\tSSLEngine on\n\tSSLCertificateFile \/etc\/letsencrypt\/live\/dev.peddals.com\/fullchain.pem\t\n\tSSLCertificateKeyFile \/etc\/letsencrypt\/live\/dev.peddals.com\/privkey.pem<\/code><\/pre><\/div>\n\n\n\nGet the config syntax checked and reload the apache configurations.<\/p>\n\n\n\n
# apachectl configtest\nSyntax OK\n# systemctl reload apache2<\/code><\/pre><\/div>\n\n\n\nTest in web browser<\/h3>\n\n\n\n
Now you can open your site in web browsers. You don’t need to add https:\/\/<\/code>.<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.peddals.com\/wp-content\/uploads\/2023\/11\/image-4.png\")
Google Chrome<\/figcaption><\/figure>\n\n\n\nLet’s Encrypt certs expire in 90 days.<\/h2>\n\n\n\n
You should, even for your dev env., renew the cert before expired. You can renew in 30 days until the expiration. As this case is for test sites manual renewal is fine for now. Run the command with the --dry-run<\/code> option then without it if no error reported.<\/p>\n\n\n\n# certbot renew --dry-run\n# certbot renew<\/code><\/pre><\/div>\n\n\n\nWhen you run the command when renewal is not needed, you can see the expiration date.<\/p>\n\n\n\n
# certbot renew\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nProcessing \/etc\/letsencrypt\/renewal\/dev.peddals.com.conf\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nCert not yet due for renewal\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nThe following certs are not due for renewal yet:\n \/etc\/letsencrypt\/live\/dev.peddals.com\/fullchain.pem expires on 2024-02-10 (skipped)\nNo renewals were attempted.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<\/code><\/pre><\/div>\n\n\n\nUse the crontab command to automate the renewal process. It’s not covered in this post.<\/s> (Corrected and added on Jul 25, 2024) Renewal cannot be automated. When the cert is expired or going to expire, you have to execute the full certbot certonly --manual --preferred-challenges dns-01<\/code> command followed by domain names again. You’ll get a new code that needs to be added as a TXT record for the cert to be renewed.<\/p>\n\n\n\nHSTS policy and where to add<\/h2>\n\n\n\n
As this website is on hosting servce, I have the .htaccess file which has the below line in the document root directory. includeSubDomains<\/code> to apply the configuration to all sub-domains and preload<\/code> to force access over HTTPS.<\/p>\n\n\n\n
High level step<\/h2>\n\n\n\n\n- Install certbot.<\/li>\n\n\n\n
- Run certbot command (with DNS challenge option).<\/li>\n\n\n\n
- Add TXT record to DNS as requested.<\/li>\n\n\n\n
- Let Let’s Encrypt complete certificate installation.<\/li>\n\n\n\n
- Enable SSL in Apache.<\/li>\n\n\n\n
- Change TCP port in Apache config file to 443 and add other settings for SSL.<\/li>\n<\/ol>\n\n\n\n
Detailed step<\/h2>\n\n\n\nObtain certificate (CLI + DNS record)<\/h3>\n\n\n\n
First, you need to install certbot to install a certificate. In the first line below you execute elevated bash so you don’t need to add sudo<\/code> every time. $<\/code> is normal user shell prompt and # <\/code>is administrator level shell prompt. Others are output examples.<\/p>\n\n\n\n$ sudo bash\n# apt-get update\n# apt-get install certbot<\/code><\/pre><\/div>\n\n\n\nIn my case, I submitted requests for *.dev.peddals.com for all dev sites and the top level domain — I may post another article, but on my mac DNSmasq is running as a local DNS server, and access to *.dev.peddals.com is diverted to my Raspberry Pi Apache server.<\/p>\n\n\n\n
# certbot certonly --manual --preferred-challenges dns-01 -m mail@example.com -d '*.dev.peddals.com' -d peddals.com\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\nPlugins selected: Authenticator manual, Installer None\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease read the Terms of Service at\nhttps:\/\/letsencrypt.org\/documents\/LE-SA-v1.3-September-21-2022.pdf. You must\nagree in order to register with the ACME server at\nhttps:\/\/acme-v02.api.letsencrypt.org\/directory\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(A)gree\/(C)ancel: A\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nWould you be willing to share your email address with the Electronic Frontier\nFoundation, a founding partner of the Let's Encrypt project and the non-profit\norganization that develops Certbot? We'd like to send you email about our work\nencrypting the web, EFF news, campaigns, and ways to support digital freedom.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(Y)es\/(N)o: Y<\/code><\/pre><\/div>\n\n\n\nAfter the above the command froze for some reason. Aborted by ctrl + C and rerunthe certbot<\/code> to proceed the process.<\/p>\n\n\n\nI think sharing email address (above) is NOT required however, sharing IP address IS required, so answer Y(es) to the below question.<\/p>\n\n\n\n
Saving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\nPlugins selected: Authenticator manual, Installer None\nObtaining a new certificate\nPerforming the following challenges:\ndns-01 challenge for dev.peddals.com\ndns-01 challenge for peddals.com\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nNOTE: The IP of this machine will be publicly logged as having requested this\ncertificate. If you're running certbot in manual mode on a machine that is not\nyour server, please ensure you're okay with that.\n\nAre you OK with your IP being logged?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(Y)es\/(N)o: Y\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease deploy a DNS TXT record under the name\n_acme-challenge.dev.peddals.com with the following value:\n\n(your value here)\n\nBefore continuing, verify the record is deployed.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPress Enter to Continue<\/code><\/pre><\/div>\n\n\n\nAdd the hostname and value as a TXT record in your DNS server. Sorry for the Japanese characters but the below reads from the top to the bottom: Host name, Type, Value, TTL, Priority.<\/p>\n\n\n\nWhen you copy-paste, don’t include the TLD if it’s pre-populated.<\/figcaption><\/figure>\n\n\n\nOnce added, go back to the CLI and hit the enter key. In my case I added the top level domain well, so there’s another challenge.<\/p>\n\n\n\n
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease deploy a DNS TXT record under the name\n_acme-challenge.peddals.com with the following value:\n\n(your value here)\n\nBefore continuing, verify the record is deployed.\n(This must be set up in addition to the previous challenges; do not remove,\nreplace, or undo the previous challenge tasks yet. Note that you might be\nasked to create multiple distinct TXT records with the same name. This is\npermitted by DNS standards.)\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPress Enter to Continue\n<\/code><\/pre><\/div>\n\n\n\nDo the similar thing on your DNS server then hit the enter key to complete the process as below.<\/p>\n\n\n\n
Waiting for verification...\nCleaning up challenges\n\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at:\n \/etc\/letsencrypt\/live\/dev.peddals.com\/fullchain.pem\n Your key file has been saved at:\n \/etc\/letsencrypt\/live\/dev.peddals.com\/privkey.pem\n Your cert will expire on 2024-02-10. To obtain a new or tweaked\n version of this certificate in the future, simply run certbot\n again. To non-interactively renew *all* of your certificates, run\n "certbot renew"\n - If you like Certbot, please consider supporting our work by:\n\n Donating to ISRG \/ Let's Encrypt: https:\/\/letsencrypt.org\/donate\n Donating to EFF: https:\/\/eff.org\/donate-le<\/code><\/pre><\/div>\n\n\n\nPath to your certs and key are written under IMPORTANT NOTES (if you forget the paths, search them in \/etc\/letsencrypt\/live\/<\/code>). Let’s encrypt certs expire every 90 days, and you have to renew. Files are symbolic link to actual certs and key to avoid tasks to update Apache config file.<\/p>\n\n\n\n# ll \/etc\/letsencrypt\/live\/dev.peddals.com\/\ntotal 12\ndrwxr-xr-x 2 root root 4096 Nov 12 19:00 .\/\ndrwx------ 3 root root 4096 Nov 12 19:00 ..\/\n-rw-r--r-- 1 root root 692 Nov 12 19:00 README\nlrwxrwxrwx 1 root root 39 Nov 12 19:00 cert.pem -> ..\/..\/archive\/dev.peddals.com\/cert1.pem\nlrwxrwxrwx 1 root root 40 Nov 12 19:00 chain.pem -> ..\/..\/archive\/dev.peddals.com\/chain1.pem\nlrwxrwxrwx 1 root root 44 Nov 12 19:00 fullchain.pem -> ..\/..\/archive\/dev.peddals.com\/fullchain1.pem\nlrwxrwxrwx 1 root root 42 Nov 12 19:00 privkey.pem -> ..\/..\/archive\/dev.peddals.com\/privkey1.pem<\/code><\/pre><\/div>\n\n\n\nEnable SSL in Apache and edit site config file<\/h3>\n\n\n\n
Enable SSL in Apache by the following command Apache. The last 2 commands are to restart and check the status of Apache.<\/p>\n\n\n\n
# a2enmod ssl\nConsidering dependency setenvif for ssl:\nModule setenvif already enabled\nConsidering dependency mime for ssl:\nModule mime already enabled\nConsidering dependency socache_shmcb for ssl:\nEnabling module socache_shmcb.\nEnabling module ssl.\nSee \/usr\/share\/doc\/apache2\/README.Debian.gz on how to configure SSL and create self-signed certificates.\nTo activate the new configuration, you need to run:\n systemctl restart apache2\n# systemctl restart apache2\n# systemctl status apache2<\/code><\/pre><\/div>\n\n\n\nA change and additions to a http (port: 80) site config file are as below. Change the port from 80 to 443 and add SSL related settings. As this (my case) is only for dev sites in a closed environment, no other security settings such as http headers are added. Since HTTPS preload and includeSubDomains are included in my HSTS policy, there’s no need to have redirection from port 80.<\/p>\n\n\n\n
<VirtualHost *:443>\n\tSSLEngine on\n\tSSLCertificateFile \/etc\/letsencrypt\/live\/dev.peddals.com\/fullchain.pem\t\n\tSSLCertificateKeyFile \/etc\/letsencrypt\/live\/dev.peddals.com\/privkey.pem<\/code><\/pre><\/div>\n\n\n\nGet the config syntax checked and reload the apache configurations.<\/p>\n\n\n\n
# apachectl configtest\nSyntax OK\n# systemctl reload apache2<\/code><\/pre><\/div>\n\n\n\nTest in web browser<\/h3>\n\n\n\n
Now you can open your site in web browsers. You don’t need to add https:\/\/<\/code>.<\/p>\n\n\n\nGoogle Chrome<\/figcaption><\/figure>\n\n\n\nLet’s Encrypt certs expire in 90 days.<\/h2>\n\n\n\n
You should, even for your dev env., renew the cert before expired. You can renew in 30 days until the expiration. As this case is for test sites manual renewal is fine for now. Run the command with the --dry-run<\/code> option then without it if no error reported.<\/p>\n\n\n\n# certbot renew --dry-run\n# certbot renew<\/code><\/pre><\/div>\n\n\n\nWhen you run the command when renewal is not needed, you can see the expiration date.<\/p>\n\n\n\n
# certbot renew\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nProcessing \/etc\/letsencrypt\/renewal\/dev.peddals.com.conf\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nCert not yet due for renewal\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nThe following certs are not due for renewal yet:\n \/etc\/letsencrypt\/live\/dev.peddals.com\/fullchain.pem expires on 2024-02-10 (skipped)\nNo renewals were attempted.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<\/code><\/pre><\/div>\n\n\n\nUse the crontab command to automate the renewal process. It’s not covered in this post.<\/s> (Corrected and added on Jul 25, 2024) Renewal cannot be automated. When the cert is expired or going to expire, you have to execute the full certbot certonly --manual --preferred-challenges dns-01<\/code> command followed by domain names again. You’ll get a new code that needs to be added as a TXT record for the cert to be renewed.<\/p>\n\n\n\nHSTS policy and where to add<\/h2>\n\n\n\n
As this website is on hosting servce, I have the .htaccess file which has the below line in the document root directory. includeSubDomains<\/code> to apply the configuration to all sub-domains and preload<\/code> to force access over HTTPS.<\/p>\n\n\n\n
Detailed step<\/h2>\n\n\n\nObtain certificate (CLI + DNS record)<\/h3>\n\n\n\n
First, you need to install certbot to install a certificate. In the first line below you execute elevated bash so you don’t need to add In my case, I submitted requests for *.dev.peddals.com for all dev sites and the top level domain — I may post another article, but on my mac DNSmasq is running as a local DNS server, and access to *.dev.peddals.com is diverted to my Raspberry Pi Apache server.<\/p>\n\n\n\n After the above the command froze for some reason. Aborted by ctrl + C and rerunthe I think sharing email address (above) is NOT required however, sharing IP address IS required, so answer Y(es) to the below question.<\/p>\n\n\n\n Add the hostname and value as a TXT record in your DNS server. Sorry for the Japanese characters but the below reads from the top to the bottom: Host name, Type, Value, TTL, Priority.<\/p>\n\n\n\n Once added, go back to the CLI and hit the enter key. In my case I added the top level domain well, so there’s another challenge.<\/p>\n\n\n\n Do the similar thing on your DNS server then hit the enter key to complete the process as below.<\/p>\n\n\n\n Path to your certs and key are written under IMPORTANT NOTES (if you forget the paths, search them in Enable SSL in Apache by the following command Apache. The last 2 commands are to restart and check the status of Apache.<\/p>\n\n\n\n A change and additions to a http (port: 80) site config file are as below. Change the port from 80 to 443 and add SSL related settings. As this (my case) is only for dev sites in a closed environment, no other security settings such as http headers are added. Since HTTPS preload and includeSubDomains are included in my HSTS policy, there’s no need to have redirection from port 80.<\/p>\n\n\n\n Get the config syntax checked and reload the apache configurations.<\/p>\n\n\n\n Now you can open your site in web browsers. You don’t need to add You should, even for your dev env., renew the cert before expired. You can renew in 30 days until the expiration. As this case is for test sites manual renewal is fine for now. Run the command with the When you run the command when renewal is not needed, you can see the expiration date.<\/p>\n\n\n\n As this website is on hosting servce, I have the .htaccess file which has the below line in the document root directory. sudo<\/code> every time. $<\/code> is normal user shell prompt and # <\/code>is administrator level shell prompt. Others are output examples.<\/p>\n\n\n\n$ sudo bash\n# apt-get update\n# apt-get install certbot<\/code><\/pre><\/div>\n\n\n\n# certbot certonly --manual --preferred-challenges dns-01 -m mail@example.com -d '*.dev.peddals.com' -d peddals.com\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\nPlugins selected: Authenticator manual, Installer None\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease read the Terms of Service at\nhttps:\/\/letsencrypt.org\/documents\/LE-SA-v1.3-September-21-2022.pdf. You must\nagree in order to register with the ACME server at\nhttps:\/\/acme-v02.api.letsencrypt.org\/directory\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(A)gree\/(C)ancel: A\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nWould you be willing to share your email address with the Electronic Frontier\nFoundation, a founding partner of the Let's Encrypt project and the non-profit\norganization that develops Certbot? We'd like to send you email about our work\nencrypting the web, EFF news, campaigns, and ways to support digital freedom.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(Y)es\/(N)o: Y<\/code><\/pre><\/div>\n\n\n\ncertbot<\/code> to proceed the process.<\/p>\n\n\n\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\nPlugins selected: Authenticator manual, Installer None\nObtaining a new certificate\nPerforming the following challenges:\ndns-01 challenge for dev.peddals.com\ndns-01 challenge for peddals.com\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nNOTE: The IP of this machine will be publicly logged as having requested this\ncertificate. If you're running certbot in manual mode on a machine that is not\nyour server, please ensure you're okay with that.\n\nAre you OK with your IP being logged?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(Y)es\/(N)o: Y\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease deploy a DNS TXT record under the name\n_acme-challenge.dev.peddals.com with the following value:\n\n(your value here)\n\nBefore continuing, verify the record is deployed.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPress Enter to Continue<\/code><\/pre><\/div>\n\n\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease deploy a DNS TXT record under the name\n_acme-challenge.peddals.com with the following value:\n\n(your value here)\n\nBefore continuing, verify the record is deployed.\n(This must be set up in addition to the previous challenges; do not remove,\nreplace, or undo the previous challenge tasks yet. Note that you might be\nasked to create multiple distinct TXT records with the same name. This is\npermitted by DNS standards.)\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPress Enter to Continue\n<\/code><\/pre><\/div>\n\n\n\nWaiting for verification...\nCleaning up challenges\n\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at:\n \/etc\/letsencrypt\/live\/dev.peddals.com\/fullchain.pem\n Your key file has been saved at:\n \/etc\/letsencrypt\/live\/dev.peddals.com\/privkey.pem\n Your cert will expire on 2024-02-10. To obtain a new or tweaked\n version of this certificate in the future, simply run certbot\n again. To non-interactively renew *all* of your certificates, run\n "certbot renew"\n - If you like Certbot, please consider supporting our work by:\n\n Donating to ISRG \/ Let's Encrypt: https:\/\/letsencrypt.org\/donate\n Donating to EFF: https:\/\/eff.org\/donate-le<\/code><\/pre><\/div>\n\n\n\n\/etc\/letsencrypt\/live\/<\/code>). Let’s encrypt certs expire every 90 days, and you have to renew. Files are symbolic link to actual certs and key to avoid tasks to update Apache config file.<\/p>\n\n\n\n# ll \/etc\/letsencrypt\/live\/dev.peddals.com\/\ntotal 12\ndrwxr-xr-x 2 root root 4096 Nov 12 19:00 .\/\ndrwx------ 3 root root 4096 Nov 12 19:00 ..\/\n-rw-r--r-- 1 root root 692 Nov 12 19:00 README\nlrwxrwxrwx 1 root root 39 Nov 12 19:00 cert.pem -> ..\/..\/archive\/dev.peddals.com\/cert1.pem\nlrwxrwxrwx 1 root root 40 Nov 12 19:00 chain.pem -> ..\/..\/archive\/dev.peddals.com\/chain1.pem\nlrwxrwxrwx 1 root root 44 Nov 12 19:00 fullchain.pem -> ..\/..\/archive\/dev.peddals.com\/fullchain1.pem\nlrwxrwxrwx 1 root root 42 Nov 12 19:00 privkey.pem -> ..\/..\/archive\/dev.peddals.com\/privkey1.pem<\/code><\/pre><\/div>\n\n\n\nEnable SSL in Apache and edit site config file<\/h3>\n\n\n\n
# a2enmod ssl\nConsidering dependency setenvif for ssl:\nModule setenvif already enabled\nConsidering dependency mime for ssl:\nModule mime already enabled\nConsidering dependency socache_shmcb for ssl:\nEnabling module socache_shmcb.\nEnabling module ssl.\nSee \/usr\/share\/doc\/apache2\/README.Debian.gz on how to configure SSL and create self-signed certificates.\nTo activate the new configuration, you need to run:\n systemctl restart apache2\n# systemctl restart apache2\n# systemctl status apache2<\/code><\/pre><\/div>\n\n\n\n<VirtualHost *:443>\n\tSSLEngine on\n\tSSLCertificateFile \/etc\/letsencrypt\/live\/dev.peddals.com\/fullchain.pem\t\n\tSSLCertificateKeyFile \/etc\/letsencrypt\/live\/dev.peddals.com\/privkey.pem<\/code><\/pre><\/div>\n\n\n\n# apachectl configtest\nSyntax OK\n# systemctl reload apache2<\/code><\/pre><\/div>\n\n\n\nTest in web browser<\/h3>\n\n\n\n
https:\/\/<\/code>.<\/p>\n\n\n\nLet’s Encrypt certs expire in 90 days.<\/h2>\n\n\n\n
--dry-run<\/code> option then without it if no error reported.<\/p>\n\n\n\n# certbot renew --dry-run\n# certbot renew<\/code><\/pre><\/div>\n\n\n\n# certbot renew\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nProcessing \/etc\/letsencrypt\/renewal\/dev.peddals.com.conf\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nCert not yet due for renewal\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nThe following certs are not due for renewal yet:\n \/etc\/letsencrypt\/live\/dev.peddals.com\/fullchain.pem expires on 2024-02-10 (skipped)\nNo renewals were attempted.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<\/code><\/pre><\/div>\n\n\n\nUse the crontab command to automate the renewal process. It’s not covered in this post.<\/s> (Corrected and added on Jul 25, 2024) Renewal cannot be automated. When the cert is expired or going to expire, you have to execute the full certbot certonly --manual --preferred-challenges dns-01<\/code> command followed by domain names again. You’ll get a new code that needs to be added as a TXT record for the cert to be renewed.<\/p>\n\n\n\nHSTS policy and where to add<\/h2>\n\n\n\n
includeSubDomains<\/code> to apply the configuration to all sub-domains and preload<\/code> to force access over HTTPS.<\/p>\n\n\n\n