Recently I set up a new web server on a Raspberry Pi at home to securely run a new web application and to properly isolate it from my other servers. One new thing I wanted to try out was setting-up a Let’s Encrypt certificate for https access and to learn how the tools work to automatically install and update the certificate.
It turned out that it’s not very difficult to do it, just a bit different from the standard installation method described on the Let’s Encrypt web site for Debian based system. Also I noticed that one should ensure that http digest authentication configured in ‘.htaccess’ files for some directories still works as intended once Let’s Encrypt is set-up, as it didn’t in my case.
As Let’s Encrypt is not (yet) included in the Raspian software repository it has to be installed from Github. This is done as follows:
sudo apt-get update && sudo apt-get install git git clone https://github.com/letsencrypt/letsencrypt
Before starting the certificate installation it’s important that the web server (Apache in my case) is reachable via https on port 443. This is important as Let’s encrypt checks if the DNS entry to the domain name of the server, for which the certificate is requested, is online and actually belongs to the requester. For security reasons, I’ve decided to use a different port on the outside of my NAT so I had to temporarily change that mapping during the certificate installation (and again whenever I want to update it).
Once the server is reachable of port 443 the certificate retrieval and installation process can be started with the following command:
cd letsencrypt ./letsencrypt-auto --verbose --apache -d WWW.MY-SERVER.COM
And that’s it, after about a minute, the certificate is retrieved and installed!
Make Sure HTTP DIGEST Authentication Still Works
If you are using http digest authentication to restrict access to some URLs it’s important to test if this still works. In my case it didn’t because Let’s Encrypt creates a new default SSL site configuration file (/etc/apache/sites-enabled/000-default-le-ssl.conf) which does not include a number of “Directory” instructions I put into the default ssl config file. Copying them over and restarting Apache fixed the problem.
Updating The Certificate
Let’s Encrypt certificates are only valid for 3 months so they have to be replaced regularly. As I don’t use a standard https port mapping I can’t automate the certificate update process as I have to manually change the port mapping for the certificate update process. But since the certificate can be replaced with a single command it’s not too much of a hassle. The following command replaces the certificate before it is due, which is a good thing to try after installation just to make sure the process works as intended when run again in a few weeks time:
cd letsencrypt ./certbot-auto --force-renew
Fortunately my Apache “Directory” instructions I copied manually to the Let’s Encrypt SSL configuration file survives the certificate replacement so security is not compromised during the replacement.