====== Letsencrypt ======

Debian 9

<code>
apt update
apt install certbot
</code>

Generate Strong Dh (Diffie-Hellman) Group
<code>
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
</code>

Obtaining a Let’s Encrypt SSL certificate
Webroot way
<code>
mkdir -p /var/lib/letsencrypt/.well-known
chgrp www-data /var/lib/letsencrypt
chmod g+s /var/lib/letsencrypt
</code>

To avoid duplicates and to support multiple vhosts, create config files:
<code - /etc/apache2/conf-available/letsencrypt.conf>
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
</code>

<code - /etc/apache2/conf-available/ssl-params.conf>
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" 
</code>

Enable mod_ssl and mod_headers in apache:
<code>
a2enmod ssl
a2enmod headers
</code>

Also enable http2 module
<code>
a2enmod http2
</code>

Enable SSL config
<code>
a2enconf letsencrypt
a2enconf ssl-params
</code>

Reload apache config
<code>
systemctl reload apache2
</code>

Now use certbot with the webroot plugin to obtain the Letsencrypt certificate files
<code>
certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
</code>

Adjust/create virtualhost file for the domain and enforce https, redirect www to non-www if desired:
<code - /etc/apache2/sites-available/example.com.conf>
<VirtualHost *:80> 
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  Protocols h2 http/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  DocumentRoot /var/www/example.com/public_html
  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

  # Other Apache Configuration

</VirtualHost>
</code>

check configuration, then reload config
<code>
apachectl configtest
systemctl reload apache2
</code>


To auto-renew the cert:
<code - /etc/cron.d/certbot>
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"
</code>

Test renewal process
<code>
certbot renew --dry-run
</code>


https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-debian-9/