Configure Apache with Let’s Encrypt

Introduction

This guide shows how to configure Apache with Let’s Encrypt.

Dependencies

To follow this guide, your server needs to have the following dependencies installed:

Assumptions

This guide assumes these things:

  1. That you are using Ubuntu.
    If you are not using Ubuntu, please adjust the instructions to suit your distribution or operating system.

  2. That your ownCloud installation is configured using a VirtualHost (vhost) configuration instead of being configured in the main Apache configuration.

  3. That the vhost configuration file is stored under /etc/apache2/sites-available/.
    Not all distributions use this location, however. Refer to your distribution’s Apache documentation, to know where to store yours.

See the SSL Configuration Generator for setup details depending on your environment, especially the different results based on the selected Mozilla Configurations.

Create and Configure a Diffie-Hellman Params File

A Diffie-Hellman (DH) params file is necessary for Forward Secrecy and for securing your TLS setup. Read Perfect Forward Secrecy Explained or Perfect Forward Secrecy - An Introduction for more details.

When using Apache 2.4.8 or later and OpenSSL 1.0.2 or later, you can generate and specify a Diffie-Hellman (DH) params file. If not already present in your VirtualHost (vhost) file, add an SSLOpenSSLConfCmd directive and a new certificate with stronger keys, which improves Forward Secrecy.

The following OpenSSL command may take quite a while to complete, so be patient.

You can place the generated SSL certificate into any directory of your choice by running the following command and changing the value supplied to the -out option. We recommend storing it in /etc/apache2/ in this guide, solely for simplicity.

sudo openssl dhparam -out /etc/apache2/dh4096.pem 4096

Once the command completes, add the following directive to your common SSL configuration:

SSLOpenSSLConfCmd DHParameters /etc/apache2/dh4096.pem

Let’s Encrypt ACME-Challenge

After that, add an Alias directive for the /.well-known/acme-challenge location in your HTTP VirtualHost configuration, as in line four in the following example.

<VirtualHost *:80>
  ServerName mydom.tld

  Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
  <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
      Options None
      AllowOverride None
      ForceType text/plain
      RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
  </Directory>

  # ... remaining configuration
</VirtualHost>

Create an SSL VirtualHost Configuration

We recommend creating a separate file for storing the SSL directives for each site. If these directives already exist on the virtual host for the site, delete them and include the file instead. This way, after the certificate has been created, you can use the file in any virtual host configuration with SSL enabled for which the certificate is valid without reissuing the SSL certificate. It also eases the management for the web site certificate files, as you can easily include or exclude the file in the virtual config with a single remark and it keeps the files' contents compact.

cd /etc/apache2/
sudo mkdir ssl_rules
touch ssl_rules/ssl_mydom.tld
/etc/apache2/ssl_rules/ssl_mydom.tld
# Eases letsencrypt initial cert issuing

SSLEngine on
SSLCertificateChainFile  /etc/letsencrypt/live/mydom.tld/fullchain.pem
SSLCertificateKeyFile    /etc/letsencrypt/live/mydom.tld/privkey.pem
SSLCertificateFile       /etc/letsencrypt/live/mydom.tld/cert.pem

To improve SSL performance, we recommend that you use the SSLUseStapling and SSLStaplingCache directives. Here’s an example configuration:

SSLUseStapling on
SSLStaplingCache         shmcb:/tmp/stapling_cache(2097152)

With the files created and filled-out, update your HTTPS VirtualHost configuration:

<VirtualHost *:443>
  ServerName mydom.tld

  # ssl letsencrypt
  # Include /etc/apache2/ssl_rules/ssl_mydom.tld

  #...
</VirtualHost>
For the moment, comment out the Include directive, as the certificate files do not, currently, exist.

Test and Enable the Apache Configuration

If not already done, enable the Apache2 ssl module necessary for the ssl configuration. Use the following command to enable it:

sudo a2enmod ssl

With the configuration created, test it by running one of the following two commands:

sudo apache2ctl configtest
sudo apache2ctl -t

It should not display any errors. If it doesn’t, load your new Apache configuration by running the following command:

sudo apache2ctl graceful

Create the SSL Certificates

See the Let’s Encrypt Create an SSL Certificate documentation for how to create the SSL certificates.

See the Let’s Encrypt Listing Existing Certificates documentation for how to list the SSL certificates.

As the certificate files exist, you can uncomment the Include directive in your HTTPS VirtualHost configuration to use them.

<VirtualHost *:443>
  ServerName mydom.tld

  # ssl letsencrypt
  Include /etc/apache2/ssl_rules/ssl_mydom.tld

  #...
</VirtualHost>

Reload the Apache Configuration

Finally, reload (or restart) Apache.

It is now ready to serve HTTPS request for the given domain using the issued certificates.

sudo service apache2 reload

Add a Redirect Directive

Now that SSL has been configured and enabled, a redirection of all traffic to the encrypted ssl site needs to be added. Reload the Apache configuration to activate it.

<VirtualHost *:80>
  ServerName mydom.tld
  Redirect permanent / https://<Your-Server-FQDN>/
  Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
  <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
      Options None
      AllowOverride None
      ForceType text/plain
      RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
  </Directory>

  # ... remaining configuration
</VirtualHost>