= HTTPS for your web server =
Generally-trusted CAs' services cost money. We're going to avoid extra costs in this course, and will use the one and only free CA which is trusted by a typical browser: '''Let's Encrypt'''.
* CA-signed certs cost money. we have to use letLet's encrypt Encrypt won't give you a certificate for more than 3 months, which is lame because it expires quickly unless why the paid-for CAs still exist. They encourage you run to set up automatic renewals of your certificate using their custom software on your server, which is not always doable or even desireable. but But it's free* follow this except the deploy part: https://help.datica.com/hc/en-us/articles/360044373551-Creating-and-Deploying-a-LetsEncrypt-Certificate-Manually* install certbot in your workstation using apt or the software manager<source>$ sudo suroot@p51:/home/andrew# certbot certonly --manual --preferred-challenges dnsSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator manual, Installer NoneEnter email address (used 3 months is good enough for urgent renewal and security notices) (Enter 'c' tocancel): asmith15@mysenecaus.ca
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You mustagree in order to register with the ACME server athttps://acme-v02.api.letsencrypt.org/directory- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(A)gree/(C)ancel: a== Create your signed certificate ==
The steps below follow relevant instructions from the [https://help.datica.com/hc/en- us/articles/360044373551- Creating- and- Deploying- a- LetsEncrypt- Certificate- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Would you be willing to share your email address with the Electronic FrontierFoundation, a founding partner of the Manually Let's Encrypt project Creating and the non-profitorganization that develops Certbot? We'd like to send you email about our workencrypting the web, EFF news, campaigns, and ways to support digital freedom.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: nPlease enter in your domain name(s) (comma and/or space separated) (Enter 'c'to cancel): asmith15.ops345.caObtaining Deploying a new certificatePerforming the following challenges:dns-01 challenge for asmith15.ops345LetsEncrypt Certificate Manually] page.ca
* Install certbot in your workstation using apt or the Software Manager. This is a command- line- only application.* Run <source>certbot certonly - - manual - - preferred- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -NOTE: The IP of this machine will be publicly logged challenges dns</source> as having requested thiscertificateroot. If you're running certbot in manual mode This will generate a key pair on a machine that is notyour serverworkstation, please ensure you're okay for your domain. Replace asmith15.ops345.ca with the domain that's correct for you.The output below is cut off after the notice to publish the TXT record:
Are you OK with your IP being logged?- - - [[File:AWSCertbot- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Y)es/(N)o: ypart1.png|border|center]]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please deploy Let's Encrypt verifies that you're authorized to get a certificate for yourid.ops345.ca by asking you to add a DNS TXT record under the name_acme-challengethat domain.asmith15.ops345.ca with It's a reasonable assumption that if you have control over the following valueDNS records for a domain:it's your domain.
SUobA6iJARuujmCDhb* Leave the terminal running certbot and go to Bindistrar to add the txt record Let's Encrypt asked for.* To avoid mistakes getting cached: double-4I0m61Zdtqe_uBgyX1ExrCPgcheck your record, then test it in another terminal on your workstation:<source>dig _acme-challenge.asmith15.ops345.ca TXT</source>* If there is a mistake: note the TTL, it will make it hard for you to check that you fixed it correctly. But you can query the authoritative server for ops345.ca directly:<source>dig _acme-challenge.asmith15.ops345.ca TXT @littlesvr.ca</source>* Once it looks good to you: press Enter in the terminal running certbot:
Before continuing, verify the record is deployed.- - - - - - - - - - - - - - - - - - - - - - - - [[File:AWSCertbot- - - - - - - - - - - - - - - -Press Enter to ContinueWaiting for verification..part2.Cleaning up challengespng|border|center]]
IMPORTANT NOTES* If that looks good:you can delete the TXT record from your DNS, it was only needed for a single use. - Congratulations! Your * Save your private key and the certificate in your home directory to make them easier to find later and chain have been saved ateasier to back up:<source>mkdir ~yourusername/ops345/certbot cp /etc/letsencrypt/live/asmith15yourusername.ops345.ca/fullchainprivkey.pem Your ~yourusername/ops345/keys/certbot/yourusername.ops345.ca.key file has been saved at:.pem cp /etc/letsencrypt/live/asmith15yourusername.ops345.ca/privkeycert.pem Your ~yourusername/ops345/keys/certbot/yourusername.ops345.ca.cert will expire on 2022-02-16. To obtain a new or tweakedpem version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" chown - Your account credentials have been saved in your Certbot configuration directory at R yourusername ~yourusername/etcops345/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by:/certbot</source>
Donating The file yourusername.ops345.ca.cert.pem is what a CA would send you after you paid them. It:* Is useless without its private key pair.* Is not tied to the workstation you used to ISRG / Let's Encrypt: https://letsencryptcreate it.* Is not tied to any particular service (e.g. Apache).org/donate Donating * Is tied to EFF: https://effthe yourusername.ops345.ca domain.* Will become useless after it expires.org/donate-le
You have new mail in /var/mail/root== Set up Apache with HTTPS ==
root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.cert.pem
root@p51:/home/andrew# cp /etc/letsencrypt/live/asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.key.pem
root@p51:/home/andrew# chown andrew ~andrew/prog/seneca/ops345/new/keys/asmith15.ops345.ca.*
root@p51:/home/andrew# exit
</source>
* The file in /etc/letsencrypt/live/asmith15.ops345.ca/cert.pem is what a CA would send you after you paid them. This one is free but it expires in 90 days, which is good enough for this course.
* Get Apache to use the key:
** /etc/httpd/conf/httpd.conf ServerName asmith15.ops345.ca:80