Migrating Self-Signed SSL Certificate to LetsEncrypt Certificate
Download Let's Encrypt Client
sudo -sgit clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Update Apache Configuration
Let's Encrypt does not detect multiple virtual host in a single file, so if you have multiple virtual hosts in a single file, you need to separate it and update the configuration for SSL only. Then redirect all plain-text traffic to SSL using a single virtual host.
Create a new virtual host in /etc/httpd/conf.d/redirect_ssl.conf to redirect plain-text traffic to SSL, replace all <domain>to your TLD, such as example.com:
<VirtualHost *:80>ServerName <domain>ServerAlias *.<domain>RewriteEngine onRewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]</VirtualHost>
Setup SSL Certificates
cd /opt/letsencrypt./letsencrypt-auto --apache -d <domain> -d www.<domain> -d <subdomain>.<domain>
Replacing <domain> with your domain, subsequent subdomains can be specified with -d option.
Restart Apache and Test
systemctl restart httpd
(Optional) Renewing SSL Certificates
Let's Encrypt issue 90 days validity certificates, but you can however, renew it earlier in case errors occurred.
To renew the certificates, simply use the following command:
/opt/letsencrypt/letsencrypt-auto renew
If you have just created a new certificate, Let's Encrypt will never issue you a new one, it will only issue a new certificate for your domains if the validity period is less than 30 days, so, you can create a cronjob to try and renew the certificate every day, week or month, in case anything goes wrong with your certificate.
To setup cronjob to automatically renew certificate, enter command crontab -e to create a new cronjob and add the following line:
0 3 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
The cronjob above will run on every monday at 3 A.M., it will append any output from /opt/letsencrypt/letsencrypt-autoto /var/log/le-renew.log. Please refer to the reference for more info on Linux cronjobs.
No Comments