How To Secure Apache with Let’s Encrypt on FreeBSD 12.0

The author selected the Free and Open Source Fund to receive a donation as part of the Write for DOnations program.

Introduction

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps.

In this tutorial, you will use Certbot to set up a TLS/SSL certificate from Let’s Encrypt on a FreeBSD 12.0 server running Apache as a web server. Additionally, you will automate the certificate renewal process using a cron job.

Prerequisites

Before you begin this guide you’ll need the following:

• A FreeBSD 12.0 server that you can set up as you wish using this guide on How To Get Started with FreeBSD.

• Apache installed by completing Step 1 of this FAMP stack tutorial.

• An enabled firewall by using the firewall configuration step in this tutorial instructions.

• Two DNS A Records that point your domain to the public IP address of your server. Our setup will use your-domain and www.your-domain as the domain names, both of which will require a valid DNS record. You can follow this introduction to DigitalOcean DNS for details on how to add the DNS records with the DigitalOcean platform. DNS A records are required because of how Let’s Encrypt validates that you own the domain for which it is issuing a certificate. For example, if you want to obtain a certificate for your-domain, that domain must resolve to your server for the validation process to work.

Once these prerequisites are fulfilled you can start installing Certbot, the tool that will allow you to install Let’s Encrypt certificates.

Step 1 — Installing the Certbot Tool for Let’s Encrypt

A Let’s Encrypt certificate ensures that users’ browsers can verify that the web server is secured by a trusted Certificate Authority. Communications with the web server are protected by encryption using HTTPS.

In this step you’ll install the Certbot tool for your web server to make a request to the Let’s Encrypt servers in order to issue a valid certificate and keys for your domain.

Run the following command to install the Certbot package and its Apache HTTP plugin:

sudo pkg install -y py36-certbot py36-certbot-apache

Now that you’ve installed the package, you can move on to enable TLS connections in the web server.

Step 2 — Enabling SSL/TLS connections in Apache HTTP

By default any install of Apache HTTP will be serving content on port 80 (HTTP). The Listen 80 entry in the main httpd.conf configuration file confirms this. In order to allow HTTPS connections, you’ll need the default port to be 443. To add port 443 and to establish SSL/TLS connections you’ll enable the mod_ssl module in Apache HTTP.

To find this module in the httpd.conf file, you’ll use grep with the -n flag to number the lines from the file in the specified path. Here you’ll find mod_ssl.so by running the following command:

grep -n 'mod_ssl.so' /usr/local/etc/apache24/httpd.conf

As output you’ll receive the number for the line you need:

148 #LoadModule ssl_module libexec/apache24/mod_ssl.so

To enable the module, you’ll remove the hashtag symbol at the beginning of the line.

Using the line number from the previous command open the file with the following:

sudo vi +148 /usr/local/etc/apache24/httpd.conf

This will take you directly to the correct line for editing.

Edit the line to look like the following by pressing x:

#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule http2_module libexec/apache24/mod_http2.so
#LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so

Once you’ve removed the #, press :wq and then ENTER to close the file.

You’ve enabled the SSL/TLS capabilities in Apache HTTP. In the next step you’ll configure the virtual hosts in Apache HTTP.

Step 3 — Enabling and Configuring Virtual Hosts

A virtual host is a method by which several websites can concurrently and independently live in the same server using the same Apache HTTP installation. Certbot requires this setup to place specific rules within the configuration file (virtual host) for the Let’s Encrypt certificates to work.

To begin, you’ll enable virtual hosts in Apache HTTP. Run the following command to locate the directive in the file:

grep -n 'vhosts' /usr/local/etc/apache24/httpd.conf

You’ll see the line number in your output:

Output
508  #Include etc/apache24/extra/httpd-vhosts.conf

Now use the following command to edit the file and remove # from the beginning of that line:

sudo vi +508 /usr/local/etc/apache24/httpd.conf

As before, hit x to delete # from the beginning of the line to look like the following:

...
# User home directories
#Include etc/apache24/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf

# Virtual hosts
Include etc/apache24/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf
...

Then press :wq and ENTER to save and quit the file.

Now that you’ve enabled virtual hosts in Apache HTTP you’ll modify the default virtual host configuration file to replace the example domains with your domain name.

You’ll now add a virtual host block to the httpd-vhosts.conf file. You’ll edit the file and remove the two existing VirtualHost blocks, after the comments block at line 23, with the following command:

sudo vi +23 /usr/local/etc/apache24/extra/httpd-vhosts.conf

After opening the file remove the two existing VirtualHost configuration blocks, then add the following block with this specific configuration:

    ServerAdmin your_email@your_domain.com
    DocumentRoot "/usr/local/www/apache24/data/your_domain.com"
    ServerName your_domain.com
    ServerAlias www.your_domain.com
    ErrorLog "/var/log/your_domain.com-error_log"
    CustomLog "/var/log/your_domain.com-access_log" common

In this block you’re configuring the following:

• ServerAdmin: This is where the email from the person in charge of that particular site is placed.
• DocumentRoot: This directive defines where the files for the specific site will be placed and be read from.
• ServerName: This is for the domain name of the site.
• ServerAlias: Similar to ServerName but placing www. before the domain name.
• ErrorLog: This is where the error log path is declared. All error messages will be written in the file specified in this directive.
• CustomLog: Similar to ErrorLog but this time the file is the one collecting all the access logs.

Finally you’ll create the directory where the site will be placed. This path has to match the one you’ve declared in the DocumentRoot directive in the httpd-vhosts.conf file.

sudo mkdir /usr/local/www/apache24/data/your_domain.com

Now change the permissions of the directory so the Apache HTTP process (running as the www user) can work with it:

sudo chown -R www:www /usr/local/www/apache24/data/your_domain.com

You’ve used chown to change the ownership with the -R flag to make the action recursive. The user and group are set by the www:www.

You’ve enabled virtual hosts in Apache HTTP. You’ll now enable the rewrite module.

Step 4 — Enabling the Rewrite Module

Enabling the rewrite module within Apache HTTP is necessary to make URLs change, for example when redirecting from HTTP to HTTPS.

Use the following command to find the rewrite module:

grep -n 'rewrite' /usr/local/etc/apache24/httpd.conf

You’ll see output similar to:

Output
180  #LoadModule rewrite_module libexec/apache24/mod_rewrite.so

To enable the module you will now remove # from the beginning of the line:

sudo vi +180 /usr/local/etc/apache24/httpd.conf

Edit your file to look like the following by hitting x to delete # from the start of the line:

#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule php7_module        libexec/apache24/libphp7.so

# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf

Save and exit this file.

You’ve now finished setting up the necessary configurations in Apache.

Step 5 — Obtaining a Let’s Encrypt Certificate

Certbot provides a variety of ways to obtain SSL certificates through various plugins. The apache plugin will take care of reconfiguring Apache HTTP. To execute the interactive installation and obtain a certificate that covers only a single domain, run the following certbot command:

sudo certbot --apache -d your-domain -d www.your-domain

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command, tagging each new domain or subdomain with the -d flag. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate. For this reason, pass the base domain name first, followed by any additional subdomains or aliases.

If this is your first time running certbot on this server, the client will prompt you to enter an email address and agree to the Let’s Encrypt terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

If the challenge is successful, Certbot will ask how you’d like to configure your HTTPS settings:

Output
. . .
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

You will also be able to choose between enabling both HTTP and HTTPS access or forcing all requests to redirect to HTTPS. For better security, it is recommended to choose the option 2: Redirect if you do not have any special need to allow unencrypted connections. Select your choice then hit ENTER.

This will update the configuration and reload Apache HTTP to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
 /usr/local/etc/letsencrypt/live/example.com/fullchain.pem
 Your key file has been saved at:
 /usr/local/etc/letsencrypt/live/example.com/privkey.pem
 Your cert will expire on yyyy-mm-dd. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew *all* of your certificates, run
 "certbot renew"
- Your account credentials have been saved in your Certbot
 configuration directory at /usr/local/etc/letsencrypt. You should
 make a secure backup of this folder now. This configuration
 directory will also contain certificates and private keys obtained
 by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

Your certificates are now downloaded, installed, and configured. Try reloading your website using https:// and notice your browser’s security indicator. It’ll represent that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

Certbot has made some important configuration changes. When it installs the certificates in your web server it has to place them in specific paths. If you now read the content in the httpd-vhosts.conf file you’ll observe a few changes made by the Certbot program.

For example in the section the redirect rules (if chosen) are placed at the bottom of it.

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.your_domain.com [OR]
RewriteCond %{SERVER_NAME} =your_domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Certbot has also created a file called httpd-vhosts-le-ssl.conf where the configuration for the certificates on Apache has been placed:

    ServerAdmin your_email@your_domain.com
    DocumentRoot "/usr/local/www/apache24/data/your_domain.com"
    ServerName your_domain.com
    ServerAlias www.your_domain.com
    ErrorLog "/var/log/your_domain.com-error_log"
    CustomLog "/var/log/your_domain.com-access_log" common

Include /usr/local/etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /usr/local/etc/letsencrypt/live/your_domain.com/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/your_domain.com/privkey.pem

Note: If you would like to make changes to the use of cipher suites on sites with Let’s Encrypt certificates, you can do so in the /usr/local/etc/letsencrypt/options-ssl-apache.conf file.

Having obtained your Let’s Encrypt certificate, you can now move on to set up automatic renewals.

Step 6 — Configuring Automatic Certificate Renewal

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. Because of this, it is best practice to automate this process to periodically check and renew the certificate.

First, let’s examine the command that you will use to renew the certificate. The certbot Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. By using the --dry-run option, you can run a simulation of this task to test how renew works:

sudo certbot renew --dry-run

A practical way to ensure your certificates will not get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day.

The official Certbot documentation recommends running cron twice per day. This will ensure that, in case Let’s Encrypt initiates a certificate revocation, there will be no more than half a day before Certbot renews your certificate.

Edit the crontab to create a new job that will run the renewal twice per day. To edit the crontab for the root user, run:

sudo crontab -e

Place the following configuration in the file so that, twice a day, the system will look for renewable certificates and will renew them if they need to:

SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
# Order of crontab fields
# minute    hour    mday    month   wday    command
  0         0,12    *       *       *       /usr/local/bin/certbot renew

In the first two lines you are declaring the environment variables, hence where the executable paths are found and what shell they’re executing on. You then indicate the time frames you’re interested in and the command to execute.

With this short set of instructions you’ve configured the automatic renewal of certificates.

Conclusion

In this tutorial, you’ve installed the Let’s Encrypt client certbot, downloaded SSL certificates for a domain, configured Apache to use these certificates, and set up automatic certificate renewal. For further information see Certbot’s documentation.