Lego “Automatic Certificates and HTTPS for everyone” lets you validate your domain names with the LET'S ENCRYPT authority.
Installation :
sudo apt-get -y install legoAfter installation, we recommend that you perform a certificate generation test, as the certification authority defines a set of limits.
You can test your certificate generation:
cd ~ && sudo lego --server=https://acme-staging-v02.api.letsencrypt.org/directory --accept-tos --email yourEmail@x.com --http --http.webroot /var/www/habeuk/public/web --http.port 80 -d www.habeuk.com -d habeuk.com runWe make sure you are at the root of your “cd ~” account. This part is important because the generated certificates will be stored in “~/.lego/certificates”. ( You can do it from another directory ).
Explanations :
--server=https://acme-staging-v02.api.letsencrypt.org/directory : test environment. ( It's advisable to start with tests, as the number of requests in production is limited ).
--accept-tos : to accept conditions of use.
--http : HTTP-01, challenge method,
--http.webroot : the absolute path to the root directory
-d : the domain or sub-domain, you can put more than one.
--email : your e-mail address.
If there are no errors, you can try live (at the time of writing this memo, you are allowed 3 failures per week).
Generate the certificate with lego :
sudo lego --accept-tos --email yourEmail@x.com --http --http.webroot /var/www/habeuk/public/web --http.port 80 -d habeuk.com -d www.habeuk.com runThe files generated are in "~/.lego/certificates".
You need to update the virtual host file and restart apache.
Example for the virtual host file:
<VirtualHost *:80>
ServerAdmin you_email@x.com
ServerName habeuk.com
ServerAlias www.habeuk.com
DocumentRoot /var/www/habeuk/public/web
<Directory /var/www/habeuk/public/web>
Options Indexes FollowSymlinks
AllowOverride All
Order Deny,Allow
Allow from all
DirectoryIndex disabled
DirectoryIndex index.php
</Directory>
#redirect to https
RewriteEngine On
RewriteCond %{SERVER_NAME} =habeuk.com [OR]
RewriteCond %{SERVER_NAME} =www.habeuk.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
# ErrorLog ${APACHE_LOG_DIR}/error.log
ErrorLog /var/www/habeuk/public/logs/error.log
CustomLog /var/www/habeuk/public/logs/access.log combined
# CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin kksasteph888@gmail.com
ServerName shopping.habeuk.com
DocumentRoot /var/www/habeuk/public/web
<Directory /var/www/habeuk/public/web>
Options Indexes FollowSymLinks
AllowOverride All
Order Deny,Allow
Allow from all
</Directory>
ErrorLog /var/www/habeuk/public/logs/error.log
CustomLog /var/www/habeuk/public/logs/access.log combined
#SSL conf.
SSLEngine on
SSLCertificateFile /home/ubuntu/.lego/certificates/habeuk.com.crt
SSLCertificateKeyFile /home/ubuntu/.lego/certificates/habeuk.com.key
</VirtualHost>We need to find the vhost configuration, in our case, our “/etc/apache2/sites-available/habeuk.conf” configuration file.
sudo a2dissite habeuk.conf && sudo a2ensite habeuk.confAnd finally restart apache :
sudo systemctl reload apache2
The lego application has one drawback: after 90 days, you have to manually regenerate the domain.
sudo lego --accept-tos --email yourEmail@x.com --http --http.webroot /var/www/habeuk/public/web --http.port 80 -d habeuk.com -d www.habeuk.com renew(the command is similar to certificate generation, but run is replaced by renew ).
you can also use cerboot, which performs renewal autonomously.
See our tutorial: SSL Let's Encrypt: Installation and configuration on Debian 11
Stephane K
