HTTPS support-Automation of SSL certificate acquisition / renewal / renewal with Let's Encrypt
We will explain how to automate the acquisition, renewal, and renewal of Let's Encrypt SSL certificate.
Prerequisites for obtaining an SSL certificate with Let's Encrypt
In Let's Encrypt, the Let's Encrypt client accesses the web server and confirms that it is the domain owner, and issues an SSL certificate.
Therefore, please note that it is necessary to finish the Apache settings, start the Web application, and connect with the reverse proxy as a prerequisite for building an HTTPS-compatible Web system development environment in Perl.
Domain name and IP address settings on the DNS server
When operating on a production server, it is necessary to set the correspondence between the domain name and the IP address of the server associated with it on the DNS server.
In the DNS server settings for the service that acquired the domain, describe the correspondence between the domain name and the IP address of the server.
Here, it is assumed that the A record of the domain name www.mydomain.example is set to the IP address "111.122.133.144" of the server.
Install certbot
Install Let's Encrypt's client application, certbot.
Launching a web application
Follow the steps below to start the web application.
Virtual host and reverse proxy settings
Follow the steps below to connect your web application from a reverse proxy.
Write Apache configuration file using self-SSL certificate
Follow the steps below to write your own SSL certificate.
Obtaining an SSL certificate with Let's Encrypt
Let's assume that you have created a Mojolicious application with the user name myapp and the name Myapp under your home directory.
Also, the domain name is obtained as www.mydomain.example, and it is assumed that the correspondence between the domain name and the IP address in the DNS server has already been described.
Execute the following certbot command.
sudo certbot certonly --agree-tos --non-interactive -d www.mydomain.example --webroot -w /home/myapp/myapp/public --email kimoto.yuki@gmail.com
If you are asked if you want Apache to be auto-configured, select No.
The SSL certificate will be created in the following directory. From the top, the SSL certificate file, the SSL certificate private key file, and the intermediate certificate file.
/etc/letsencrypt/live/www.mydomain.example/cert.pem /etc/letsencrypt/live/www.mydomain.example/privkey.pem /etc/letsencrypt/live/www.mydomain.example/chain.pem
Follow the steps below to add the SSL certificate to the Apache configuration file.
Renewing SSL certificate with Let's Encrypt
Use the "certbot renew" command to renew the SSL certificate with Let's Encrypt. All the SSL certificates obtained will be checked for renewal, and if the renewal period is within one month, the certificate will be renewed.
sudo certbot renew -q --no-self-upgrade --post-hook "systemctl reload apache2"
Please note that after updating the SSL certificate, Apache will be restarted with the systemctl command in order to reload the SSL certificate. .. If the configuration file is incorrect, Apache will stop.
Automation of SSL certificate renewal with Let's Encrypt
Manually updating the SSL certificate with Let's Encrypt is tedious. Let's set it to update automatically once a week.
If it is once a day, if the certbot is wrong, it may issue a large number of SSL certificates and you may not be able to obtain the SSL certificate for a while, so please stop it. But the risk is avoided.
If it is once a month, I feel that it is easier to check if it is wrong if you increase the frequency a little more.
So, here, I will update it once a week at 9 o'clock on Monday.
Set root crontab
Let's set up a root crontab.
sudo crontab
When crontab starts, write the following contents. Click here for how to use vi.
0 9 * * 1 certbot renew -q --no-self-upgrade --post-hook "systemctl reload apache2"