Letsencrypt: Difference between revisions

/etc/apache2/vhosts.d/01_default_ssl_namebased_vhost.conf

<IfDefine SSL>
<IfModule ssl_module>
# see bug #178966 why this is in here

# When we also provide SSL we have to listen to the HTTPS port
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
Listen 443

# OCSP stapling
SSLStaplingCache shmcb:/run/ocsp(128000)

</IfModule>
</IfDefine>

/etc/apache2/vhosts.d/ssl_security.include

# Forward Secrecy
# Source: https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

# OCSP stapling
SSLUseStapling on

# Strict Transport Security (HSTS)
# 180 days
Header always set Strict-Transport-Security "max-age=15552000"

# Let's Encrypt (webroot)
<IfModule mod_headers.c>
  <LocationMatch "/.well-known/acme-challenge/*">
    Header set Content-Type "application/jose+json"
  </LocationMatch>
</IfModule>

/etc/apache2/vhosts.d/subdomain.example.com

[...]
    SSLEngine On
    SSLCertificateFile /etc/ssl/apache2/subdomain.example.com/subdomain.example.com.crt
    SSLCertificateKeyFile /etc/ssl/apache2/subdomain.example.com/subdomain.example.com.key

    # SSL security configuration
    Include /etc/apache2/vhosts.d/ssl_security.include

</VirtualHost>

cronjob (first day every month at 12:00AM)

/etc/cron.d/certbot

MAILTO="mail@example.com"
0 0 1 * * certbot certonly --email "mail.example.com" --webroot -w /var/www/subdomain.example.com/htdocs -d subdomain.example.com --renew-by-default --noninteractive