In one of the previous articles, I have explained how to harden SSL configuration in Apache and how to add Let’s Encrypt Everything SSL certificate to Kerio Mail server. Now I will explain how to install a client that will help you to automatically renew your SSL certificate(s).
Connect to your server via SSH and install client from Github using the following command:
# aptitude install git # git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Now let’s generate your SSL certificate for your website.
# ./letsencrypt-auto --apache -d sefnet.local
You can automatically generate SSL certificate for multiple websites using -d switch on the single command:
# ./letsencrypt-auto --apache -d sefnet.local -d sefnet2.local
Or you can create SSL certificate for any subdomain:
# ./letsencrypt-auto --apache -d sefnet.local -d www.sefnet.local -d www1.sefnet.local -d www2.sefnet.local -d www3.sefnet.local
Once your SSL certificates are in place, you can either use HTTP Strict Transport Security (HSTS) or .htaccess to redirect traffic to your HTTPS webpage. HSTS method is explained here, and to use .htaccess method, add the following to your .htaccess file:
RewriteEngine On RewriteCond % 80 RewriteRule ^(.*)$ https://sefnet.local/$1 [R,L]
Remember to add www. to your subdomain configuration:
RewriteRule ^(.*)$ https://www.sefnet.local/$1 [R,L]
Now I will configure automatic SSL certificate renewal through crontab.
# crontab -e 00 2 * * 7 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log | mail -s "SSL certificate renewal results" firstname.lastname@example.org
This will trigger automatic SSL certificate renewal, write steps into log file, and send mail with the results to your mail address