After having changed all my certificates because of SHA-1 becoming deprecated, I thought I’d go one step further: I heard Google is thinking of lowering the rank of sites that are not available over HTTPS, and let’s face it I can’t expect my root CA to be accepted by browsers. Time to install Let’s Encrypt!

On Debian a simple apt-get install certbot is enough, maybe along with python-certbot-apache if you have a simple setup. In my case Apache is hidden behind sslh (which sorts between HTTPS, ssh, xmpp and a few other things) and Certbot’s Apache module uses randomly generated SNI probes so that LetEncrypt’s server can check you actually own domains. So I couldn’t use the Apache module (which is a shame because it really is trivial to use).

Instead I used the Webroot module which creates files in the Web space of each domain to let LetEncrypt’s server find its challengs. That’s actually still pretty easy:

certbot certonly --webroot -w /var/www/yr -d www.rutschle.net -d rutschle.net

And just repeat for each domain.

Certbot in Debian comes with a cron in /etc/cron.d/certbot which should renew the certificates every few months, so I’ll have to check this actually works. For one, I’m not sure Apache will be restarted to pick up the changes (I think it won’t).