Today I was occasionally recommended a list which provides SaaS, PaaS and IaaS offerings that have free tiers of interest to developers and infrastructure developers. Some free DNS providers are on the list. I used to want to obtain a domain name for my website with SSL enabled. So I take action immediately. I choose freedom.com as my free domain name service provider, then select a one-year free domain and purchase it free of charge.
After binding my IP address with the domain name, I got a management interface as follows, it also provides some other services like URL forwarding, creating and managing custom nameservers for my domain.
Next, it’s time to arm your domain with a certificate. As for why we need a certificate, I think this post will convince you with some unrejectable reasons. There are lots of CAs which provide a certificate, and I choose the most popular free certificate authority which names “Let’s Encrypt“. And it is convenient to deploy, automating renew your certificate with certbot. According to my operating system (Arch Linux) and HTTP software (Apache), I get the following instruction:
1 2
# installing the certbot sudo pacman -S certbot-apache
But before configuring certificate with certbot, we need to set up a virtual host on 80 port as follows in /etc/httpd/conf/httpd.conf:
<Proxy *> Order deny,allow Allow from all </Proxy> </VirtualHost>
Also we need to make mod_rewrite and mod_ssl enable in /etc/httpd/conf/httpd.conf otherwise we will get Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration and Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf/extra/nextcloud-le-ssl.conf/IfModule/VirtualHost. VirtualHost was not modified error according to the post A and post B.
And you can execute the deployment with certbot and receive the success message:
Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: your-domain.com 2: www.your-domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/your-domain.com.conf)
What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Attempt to reinstall this existing certificate 2: Renew & replace the cert (limit ~5 per 7 days) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Keeping the existing certificate Created an SSL vhost at /etc/httpd/conf/httpd-le-ssl.conf Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf Enabling site /etc/httpd/conf/httpd-le-ssl.conf by adding Include to root configuration Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting vhost in /etc/httpd/conf/httpd.conf to ssl vhost in /etc/httpd/conf/httpd-le-ssl.conf
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your-domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your-domain.com/privkey.pem Your cert will expire on 2018-12-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
I also make all requests redirect to secure HTTPS access. And this certificate will last for 3 months, and before expiration, you can add the email address to receive the expiration notification according to the official post:
Requesting to rerun ./certbot-auto with root privileges... [sudo] admin password: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for your-domain.com dns-01 challenge for your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.your-domain.com with the following value:
kv40uFGWGujDtM1kd8SLkQa8aHkJKT_b3pP1y3G5PsM
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.your-domain.com with the following value:
QeuTiWaDbwYg-wLlOadfKt_03JkLG34_htFV_fg_52I
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your-domain.com-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your-domain.com-0001/privkey.pem Your cert will expire on 2019-01-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Since I use the manual option, I need to edit the /etc/httpd/conf/httpd.conf to configure all sub-domains. An example is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
<VirtualHost *:80> ServerName sub.your-domain.com ErrorLog "/var/log/httpd/domain1.com-error_log" CustomLog "/var/log/httpd/domain1.com-access_log" common RewriteEngine on RewriteCond %{SERVER_NAME} =sub.your-domain.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> <VirtualHost *:443> ServerName sub.your-domain.com ErrorLog "/var/log/httpd/domain1.com-error_log" CustomLog "/var/log/httpd/domain1.com-access_log" common Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/your-domain.com-0001/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com-0001/privkey.pem </VirtualHost>
Restart the apache engine.
certbot certificates command will show your current certificate status.
