Site icon Learning & Doing

Cara Install Let’s Encrypt dengan Apache di Ubuntu 20.04 / Debian 11 / Linux Mint

Encrypt

“Cara Install Let’s Encrypt dengan Apache di Ubuntu 20.04 / Debian 11 / Linux Mint”

Pendahuluan

Let’s Encrypt adalah otoritas sertifikat yang dibuat oleh Internet Security Research Group (ISRG). Ini menyediakan sertifikat SSL gratis melalui proses otomatis yang dirancang untuk menghilangkan pembuatan sertifikat manual, validasi, instalasi, dan pembaruan.

Sertifikat yang dikeluarkan oleh Let’s Encrypt berlaku selama 90 hari sejak tanggal penerbitan dan dipercaya oleh semua browser utama saat ini.

Persyaratan

Install Certbot

sudo apt update
sudo apt install certbot

Generate SSL

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Konfigurasi Let’s Encrypt SSL certificate

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
nano /etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
nano /etc/apache2/conf-available/ssl-params.conf
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" 

Header always set Strict-Transport-Security "max-age=63072000"
sudo a2enmod ssl
sudo a2enmod headers
sudo a2enconf letsencrypt
sudo a2enconf ssl-params
sudo a2enmod http2
sudo systemctl reload apache2
sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

output

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-10-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80> 
  ServerName example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com

  Protocols h2 http/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  DocumentRoot /var/www/example.com/public_html
  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

  # Other Apache Configuration

</VirtualHost>
sudo systemctl reload apache2

Test SSL

Kamu bisa cek ssl domain mu dari web tools https://www.ssllabs.com/ssltest/

Auto-renewing Let’s Encrypt SSL certificate

nano /etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"
sudo certbot renew --dry-run

Penutup

Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Cara Install Let’s Encrypt dengan Apache di Ubuntu 20.04 / Debian 11 / Linux Mint. Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.

Exit mobile version