Over the past six months I have had all sorts of issues with SSL on my home server powered by a Raspberry Pi. Originally I was using a free Class 1 StartCom SSL certificate, but due to a badly handled take-over at the company, Mozilla, Google and Microsoft have invalidated StartCom’s root certificates and the CA is going through the painful process of regaining browser vendor trust. This had the knock-on consequence of course that all their child certificates became invalid, including ones I used.
So whilst StartCom rebuild their trust, what alternatives are there for a globally recognised free SSL for personal/non-profits? Well there is now “Let’s Encrypt”, which will grant rolling temporary 90-day certificates. I found documentation for Let’s Encrypt to be very incomplete or insufficiently covering all possible scenarios, so for my own personal reference (and anyone reading this), here is my guide to setting up Let’s Encrypt on a Raspberry Pi running Apache.
Log into your Pi with a sudoer user (eg ‘pi’) and make sure you have git installed.
~# sudo apt-get update && sudo apt-get install git
I usually create a directory in the home/pi directory for sources
~# mkdir srcs/
Switch to the srcs directory and git clone letsencrypt
~# cd srcs
srcs# git clone https://github.com/letsencrypt/letsencrypt
Enter the letsencrypt clone and run the tool for apache, with domains specified.
srcs# cd letsencrypt
letsencrypt# ./letsencrypt-auto –verbose –apache [-d <domain>]
Please note; Take special care of the “verbose” and “apache” arguments. They should have two dashes in front of them (the website may present them into one long dash).
The [-d <domain>] is the domain declaration. You can do multiple domains on one certificate by chaining multiple -d commands. Eg:
-d www.dmcostello.co.uk -d dmcostello.co.uk -d subdomain.dmcostello.co.uk -d www.subdomain.dmcostello.co.uk -d othersub.dmcostello.co.uk -d www.othersub.dmcostello.co.uk
IMPORTANT: All domains you enter need to exist on your DNS record. If they don’t, your request for certificates will fail.
Once the command runs, depending on your Apache configuration, everything may be ok. Let’s Encrypt will try and automatically set the SSL certificates for each domain you specify so you don’t need to do any manual config changes.
However; this didn’t work for me.
– Unable to install the certificate
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain.com/fullchain.pem. Your cert
will expire on 2017-08-02. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again
with the “certonly” option. To non-interactively renew *all* of
your certificates, run “letsencrypt-auto renew”
My Vhosts file contains multiple entries, and at the time of writing Let’s Encrypt cannot parse a multiple-entry config file. Because of this I had to manually edit my vhosts to add in the following lines to each SSL vhost:
As mentioned, the certificates expire after 90 days. You can set a cron job to run the auto command on or before the day the certificates expire. You can setup a cron task by creating a shell script containing the following:
I saved mine as ‘letsencrypt-renew.sh’ in the /home/pi directory. Again; please take note that “force-renew” needs two dashes before it. The site may display only one in the code sample above.
Then for cron (open using ‘crontab -e‘):
0 0 1 */3 * sudo /bin/bash /home/pi/letsencrypt-renew.sh >/dev/null 2>&1
The above line in crontab should trigger a run of the script on the 1st day of the month, every 3 months, at midnight (00:00). Output from the script will be sent to /dev/null. If you omit the output redirection and have mail configured on your Linux instance then the output will be emailed to you.
Hopefully this guide will provide some assistance with configuring Let’s Encrypt. Personally I’m looking forward to the restoration of trust with StartCom SSL, as their annual certificate offerings are much less hassle. 🙂