A Letsencrypt example

An example based on an apache server running ubuntu 18.04.

For Name-based virtual hosting

With name-based virtual hosting, the server relies on the client to report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.

Configure your DNS server to map each hostname to the correct IP address and then configure the Apache HTTP Server to recognize the different hostnames.

One way to implement SSL (TLS) certificates for named based virtual hosting is to use what is sometimes called multi-domain SAN (subject-alternative-name.).

example SAN site
https://www.digicert.com/subject-alternative-name.htm

you request multiple domains for the same certificate
example

certbot -d site1 -d site2.com -d site3.com  -d site4.com  -d site5.com -d site6.com  …..

The following example show a way to request one certificate per domain ‘set’ which should make revoking and tracking certificates easier.

An example of Named Base Virtual Hosting domains

Our example is based on DNS entries where there are 2 DNS records for each “domain”

The www version and the non www version

Example of a ‘set’ of www and non www domains

pbacloudb2019.com
http://www.pbacloudb2019.com

An example of Domains ‘sets’ pointing to the same IP address

a)
pbacloudb2019.com
http://www.pbacloudb2019.com

b)
pbacloudb2019-doctortest.com
http://www.pbacloudb2019-doctortest.com

c)
pbaclouda2019.com
http://www.pbaclouda2019.com

d)
pbaclouda2019-doctortest.com
http://www.pbaclouda2019-doctortest.com

? What how many domains have you created SSL certificates for and pointed towards the sanem IP address?

Planning for the potential for up to 600 sites pointing to the same IP.
The current setup also supports A records pointing to same ip for both the www version and the non www version

The Following examples are for folks with Shell access and root or sudo access and are for apache 2.4 on Ubuntu 18.4

 

Letsencrypt

Install certbot on you server and then

1) create an account

Example

certbot register -m youj@protonmail.com,another@domain.org –agree-tos

Notes on create an account

manage your account with Let’s Encrypt:
register        Create a Let’s Encrypt ACME account
unregister      Deactivate a Let’s Encrypt ACME account
update_account  Update a Let’s Encrypt ACME account
–agree-tos       Agree to the ACME server’s Subscriber Agreement
-m EMAIL         Email address for important account notifications

Letsencrypt id

Our CPS and Subscriber Agreement indicate that the Subscriber is whoever holds the private key for a certificate. For hosting providers, that’s the provider, not the provider’s customer. If you’re writing software that people deploy themselves, that’s whoever is deploying the software.

– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.

2) Backup letsencrypt

Once you create an account, set something up makes a secure  backup of everything under

/etc/letsencrypt every time you issue the certbot or other certificate managing command

3) Create One Virtual Host config file per certificate (port 80).

Create a Virtual Hosts file for a ‘set’ of www and non www domains

  1. A) in directory /etc/apache2/sites-enabled/

Create a ‘vhost file for each ‘set’

(take the default file in the directory and rename it for whatever naming convention for you certificates you want.  I am using the non www version of the domain for the name of the conf file (when I request the certificate, the first domain I pass in will be the non www version.  The certificate file and the virtual hosts file should then share something in common.

Virtual Host file

etc/apache2/sites-enabled/pbacloudb2019.com.conf

Certificate file
Certificate Path: /etc/letsencrypt/live/pbacloudb2019.com/fullchain.pem

Examples file names

etc/apache2/sites-enabled/pbaclouda2019.com.conf
etc/apache2/sites-enabled/pbaclouda2019-doctortest.com.conf
etc/apache2/sites-enabled/pbacloudwb2019.com.conf
etc/apache2/sites-enabled/pbacloudb2019-doctortest.com.com.conf

important entries different from the default

add
ServerName pbaclouda2019.com
ServerAlias http://www.pbaclouda2019.com

I shutdown the Apache server when I place the Virtual Hosts File in the etc/apache2/sites-enabled directory.  Then I start up apache so that it will recognize the new virtual Hosts.  You keep the apache server running while you are requesting certificates. 

4) Request Certificates, one per virtual host file

a)  certbot will edit apache configuration so back it up

I just backup the *.conf files from /etc/apache/

b) stop apache (or webserver)  server

c) try a –dry-run

This entry checks to see if something are in order before requesting the certificate.

certbot certonly –apache –dry-run -d pbaclouda2019.com -d http://www.pbaclouda2019.com

d) request the certificate

certbot –apache -d pbaclouda2019.com -d http://www.pbaclouda2019.com

5) first time considerations

It will ask you

: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

6) Example files after requesting  a certificate

You should see the following in your apache virtual host file

  1. A) Virtual Host file like etc/apache2/sites-enabled/pbacloudb2019.com.conf

In our example should have the following entries

ServerName pbaclouda2019.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias pbaclouda2019.com
ServerAlias http://www.pbaclouda2019.com

SSLCertificateFile /etc/letsencrypt/live/pbaclouda2019.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pbaclouda2019.com/privkey.pem

  1. b) issue the command: certbot certificates

for Certificate pbaclouda2019.com you should see

ServerName pbaclouda2019.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias pbaclouda2019.com
ServerAlias http://www.pbaclouda2019.com
SSLCertificateFile /etc/letsencrypt/live/pbaclouda2019.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pbaclouda2019.com/privkey.pem

7) Getting help in the forums

https://community.letsencrypt.org/

Notes

SNI is a web server feature that allows multiple certificates per ip address

http-01 Challenge is an easy file based way cetbot uses to identify and authenticate you server

If the system can write files to the server you are managing for the domain you are requesting, things are good to go.  Note, there is a thing called ‘rate limiting’.  You can only request 100 certificates per day

Helpful Links and Commands

dig is a linux command line utility that shows DNS information

dig –help

Show the A records for a domain
dig http://www.pbacloudb2019-doctortest.com +short

A site with a lot of options for checking SSL and DAN information

https://check-your-website.server-daten.de

show my certificates  certbot certificates

The Maximum sites per cert is 100 (less is better).

The Number of URLs has to be Less than Maximum  – urls_per_cert (100 max , can be as low as 25)

Is there a maximum Number of Certs per_ip address?

Do you know of any SNI constraints and requirements?

Theoretical max
certs_per_ip  X urls_per_cert

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.