After having changed all my certificates because of SHA-1 becoming deprecated, I thought I’d go one step further: I heard Google is thinking of lowering the rank of sites that are not available over HTTPS, and let’s face it I can’t expect my root CA to be accepted by browsers. Time to install Let’s Encrypt!
On Debian a simple
apt-get install certbot
is enough, maybe along with
python-certbot-apache if you
have a simple setup. In my case Apache is hidden behind
sslh (which sorts between HTTPS, ssh, xmpp and a few other
things) and Certbot’s Apache module uses randomly generated
SNI probes so that LetEncrypt’s server can check you
actually own domains. So I couldn’t use the Apache module
(which is a shame because it really is trivial to use).
sslh now supports regular expressions on
SNI probes, which allows to set up a redirection for Let’s
Encrypt’s checks to Apache. So you should now be able to use
the Apache module with
sslh. I keep using the Webroot
method because I have a vague feeling that it’s less
intrusive to the Web, but mostly because it works as it is.]
Instead I used the Webroot module which creates files in the Web space of each domain to let LetEncrypt’s server find its challengs. That’s actually still pretty easy:
certbot certonly --webroot -w /var/www/yr -d www.rutschle.net -d rutschle.net
And just repeat for each domain.
Certbot in Debian comes with a cron in
which should renew the certificates every few months, so
I’ll have to check this actually works. For one, I’m not
sure Apache will be restarted to pick up the changes (I
think it won’t).