SSL certificate generation
|← Previous||Next →|
Install the Let's Encrypt client
Let's Encrypt offer free SSL certificates for use in HTTPS and similar services (such as IMAP and SMTP over TLS).
The first thing to do is install the Let's Encrypt client on the server.
Get certificates from Lets Encrypt
This is a bit of chicken-and-egg. First, you need to create the non-HTTPS virtual sites for all the domains you want to serve. You can then use the Apache plugin to the LetsEncrypt client to fetch and install the certificates. Then, you can go back and fix the various certificate settings in the virtual host conf files.
If you have any existing web server running, turn it off for the first creation of certificates.
Get the certificates from:
root@server:# certbot --apache -d domain.tld -d www.domain.tld root@server:# certbot --apache -d other.domain.tld -d www.other.domain.tld -d other1.domain.tld -d www.other1.domain.tld root@server:# certbot --apache -d webmail.domain.tld -d mail.domain.tld -d imap.domain.tld
Each command will create a single certificate, with aliases to cover all the domains specified in each command. That will create certificates in
/etc/letsencrypt/live/domain.tld and so on, one directory for each certificate obtained.
Note that I've also got a certificate for my mail servers, used for IMAP and SMTP over TLS.
If you use the
--apache option in the command, it will automatically include the certificate use settings in the website config files. If you do that, note that every domain listed in all the requests must be explicitly listed as a
ServerAlias in an Apache conf file, and that no Apache conf file can contain more than one
VirtualHost section on port 443.
Extend the domains of a certificate
If you want to add additional domains to an existing certificate, you need the
--cert-name option and list all the domains for the certificate:
root@server:~# certbot certonly --cert-name domain.tld -d domain.tld,www.domain.tld,other.domain.tld root@server:~# systemctl reload apache2.service
Domains not listed in the
certbot --cert-name command will be removed from the certificate.
Note that you need to include the original
domain.tld certificate name in the certificate expansion command. Luckily,
certbot asks you to confirm changes before you make them.
Check the contents of a certificate
If you want to see what certificates you have, use `certbot`:
root@server:~# certbot certificates
If you want to check the contents of a certificate, use this command:
root@server:~# openssl x509 -in /etc/letsencrypt/live/domain.tld/cert.pem -text
Areas of interest are likely to be the
Validity section, which contains the date range for the certificate being valid, and the
X509v3 Subject Alternative Name section, which lists the domains for which this certificate is valid.
Automatically update certificates
Create the file
#!/bin/sh /usr/bin/certbot renew systemctl reload apache2.service systemctl reload dovecot.service systemctl reload postfix.service
Make it executable:
root@server:# chmod +x /etc/cron.daily/letsencrypt-renew
Read the old instructions for Self-signed SSL certificate generation.