Setting up Let’s Encrypt on DreamCompute with Apache

What is Let’s Encrypt?

Let’s Encrypt is a new certificate authority that provides absolutely free secure certificates to help get the Internet to 100% HTTPS on the Internet.

DreamHost has integrated Let’s Encrypt support into its panel for hosted services, but if you want to set up automatically-renewing certificates for domains you host on a DreamCompute instance, you’ll need to do a little bit of manual installation. But the good news is, it doesn’t take long, and once you finish the setup, you should never have to worry about renewing a certificate ever again!

Get the code

Start by logging into your DreamCompute instance. It shouldn’t matter too much which distribution of Linux you’re running, but make sure you have the git package installed so that you can clone the letsencrypt repository, like so:

[[email protected]]# sudo -s
[[email protected]]# cd /opt
[[email protected]]# git clone git://github.com/certbot/certbot

Get your first certificate

Before you do this, you’ll need to make sure that your domain is actually pointing at your DreamCompute instance’s IP address, and that your webserver is configured to respond to requests for your domain name. This is required because 'Let’s Encrypt' performs checks to make sure that you control domain names that you request certificates for. If you have not already done this, view the article below for assistance:

You must also make sure that you have Apache already configured properly to respond to requests for example.com.

Once your site is configured and responding to the default Apache page, proceed with installing  the Apache plugin for certbot-auto like so:

[[email protected]]# /opt/certbot/certbot-auto --apache -d example.com

This will prompt you for some information including your email address. The last question you're asked is if you want to redirect all traffic to the https version of your site's URL. It's highly recommended that you choose to do this. Type the number '2' to choose this option. For example:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/example.com.conf to ssl vhost in /etc/apache2/sites-available/example.com-le-ssl.conf

This will finalize your new certificate. You shouldn’t even need to restart your webserver or modify a configuration file as the Apache plugin for certbot-auto was designed to handle this for you.

Adding a subdomain to an existing certificate

If after running that script you realize that you also need a certificate for a related subdomain, you can run the certbot-auto command again with additional parameters.

[[email protected]]# /opt/certbot/certbot -auto --apache -d example.com -d sub.example.com

Automatic renewal

You can have your system automatically renew all of the certificates for you using a small shell script which looks like this:

#!/bin/bash

/opt/certbot/certbot-auto renew

If you save that script in the /usr/local/bin directory as something like 'update_certs', you can schedule the script to run once a week with cron> like so:

30 0 * * 0 /usr/local/bin/update_certs

Now, your system attempts to renew all of your certificates once a week. If there are no certificates in danger of expiring soon, nothing bad happens. But if any would have otherwise expired, then they get renewed automatically.

Did this article answer your questions?

Article last updated PST.