You’ve heard it’s important to install Let’s Encrypt (LE). You spin up your Ubuntu 18.04 machine and try to use https://certbot.eff.org/.
You run the command:
certbot –apache -d domain.com
You are greeted with:
IMPORTANT NOTES: – Unable to install the certificate – Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2019-02-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Some rewrite rules copied from /etc/apache2/sites-enabled/domain.com.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-available/domain.com-le-ssl.conf because they have the potential to create redirection loops.
Yup, that’s pretty annoying: Unable to install the certificate. The good new is that the certs themselves were created, but the required conf wasn’t.
I’m not 100% sure why this happens, but it could boil down to a permission issue or issue with the formatting in the virtual hosts file.
What I have found helpful is to use a vanilla Vhosts file. Something like the following:
ServerAdmin webmaster@domain.com
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/domain.com
ErrorLog ${APACHE_LOG_DIR}/domain.com.error.log
CustomLog ${APACHE_LOG_DIR}/domain.com.access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
I then manually create the required LE conf file inside of /etc/apache/sites-available/. I title it appropriately, domain.com-le-ssl.conf. Inside the file I use the following:
ServerAdmin webmaster@domain.com
ServerName domain.com
DocumentRoot /var/www/domain.com
ErrorLog ${APACHE_LOG_DIR}/domain.com.error.log
CustomLog ${APACHE_LOG_DIR}/domain.com.access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
You’ll notice a few key changes. You set the port to 443 and you included the SSL options module for Apache (e.g., Include /etc/letsencrypt/options-ssl-apache.conf).
You also identify the PEM files required for the SSL certificate to work.
Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Once this is done, you have to create the sym link in the /etc/apache/sites-enabled folder. You normally do this using a2ensite, but can also do it manually doing the following:
ln -sf /etc/apache2/sites-available/domain.com-le-ssl.conf /etc/apache2/sites-enabled/domain.com-le-ssl.conf
One you have this sym link set up, reload and restart apache (I think I overkill with the restart, but it makes me feel better).
systemctl reload apache2 systemctl restart apache2
This should do the trick. If you’ve been working on Chrome, be mindful of its cache; probably best to try another browser that hasn’t cached any results.