Cara Install Let’s Encrypt dengan Apache di Ubuntu 20.04 / Debian 11 / Linux Mint

admin

2 years ago

“Cara Install Let’s Encrypt dengan Apache di Ubuntu 20.04 / Debian 11 / Linux Mint”

Daftar Isi

Toggle

Pendahuluan

Let’s Encrypt adalah otoritas sertifikat yang dibuat oleh Internet Security Research Group (ISRG). Ini menyediakan sertifikat SSL gratis melalui proses otomatis yang dirancang untuk menghilangkan pembuatan sertifikat manual, validasi, instalasi, dan pembaruan.

Sertifikat yang dikeluarkan oleh Let’s Encrypt berlaku selama 90 hari sejak tanggal penerbitan dan dipercaya oleh semua browser utama saat ini.

Persyaratan

Memiliki akses root ke server
Siapkan domain dan sudah di pointing ke IP server.
Sudah menginstall apache -> Cara Install Apache Web Server Pada Ubuntu 20.04 / Debian 11

Install Certbot

sudo apt update
sudo apt install certbot

Generate SSL

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Konfigurasi Let’s Encrypt SSL certificate

Buat direktori baru

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

Buat file config

nano /etc/apache2/conf-available/letsencrypt.conf

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

nano /etc/apache2/conf-available/ssl-params.conf

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" 

Header always set Strict-Transport-Security "max-age=63072000"

Enable module

sudo a2enmod ssl
sudo a2enmod headers

Enable SSL config

sudo a2enconf letsencrypt
sudo a2enconf ssl-params

Enable http modul

sudo a2enmod http2

Restart apache service

sudo systemctl reload apache2

jalankan cerboot untuk membuat SSL pada domain

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

output

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-10-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Edit Virtualhost

nano /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80> 
  ServerName example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com

  Protocols h2 http/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  DocumentRoot /var/www/example.com/public_html
  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

  # Other Apache Configuration

</VirtualHost>

Reload service

sudo systemctl reload apache2

Test SSL

Kamu bisa cek ssl domain mu dari web tools https://www.ssllabs.com/ssltest/

Auto-renewing Let’s Encrypt SSL certificate

buat file

nano /etc/cron.d/certbot

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"

test renewal

sudo certbot renew --dry-run

Penutup

Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Cara Install Let’s Encrypt dengan Apache di Ubuntu 20.04 / Debian 11 / Linux Mint. Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.