It was time to enable https on all osm-hr servers, and Let’s Encrypt with certbot auto renewal was the best choice to do it. There are two steps in the process, install and configure certbot. Dependion on the OS first part may require additional steps.
Install
Debian 9
First you need to enable backports, edit /etc/apt/sources.list and add repo.
deb http://deb.debian.org/debian stretch-backports main
After than run update
apt-get update
Now you will have the option to install certbot
apt-get install certbot python-certbot-apache -t stretch-backports
Debian 10
No need for backports, just install certbot
apt-get install certbot python-certbot-apache
Ubuntu 18.04
Ubuntu alsop needs additional software and repo for certbot
apt-get update
apt-get install software-properties-common
add-apt-repository universe
add-apt-repository ppa:certbot/certbot
apt-get update
After the update certbot can be installed
apt-get install certbot python-certbot-apache
Configure
Configuration is the same
# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): user@domain.org
Fill in the username email address for notification to continue
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory
(A)gree/(C)ancel: a
Read 🙂 and agree to Terms of Service to continue
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: n
I already shared another email with them and receive the news there, no need for duplication.
Which names would you like to activate HTTPS for?
1: tms.osm-hr.org
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1
Now we get the report what is done.
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for tms.osm-hr.org
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/tms-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/tms-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/tms-le-ssl.conf
Another prompt about redirection, you have to chose
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
After that Apache rewrite mode is enabled
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/tms.conf to ssl vhost in /etc/apache2/sites-available/tms-le-ssl.conf
Congratulations! You have successfully enabled https://tms.osm-hr.org
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=tms.osm-hr.org
Final notice
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/tms.osm-hr.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/tms.osm-hr.org/privkey.pem
Your cert will expire on 2019-09-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
That’s all folks, now you have web server with automatic redirect to https.