4. Change to ssl

4.1. Intro

At some point in time, you will want to upgrade your webserver to ssl. This is how I did it.

4.2. Let's encrypt

The certificate-part is taken from https://www.pestmeester.nl/index.html#10.0 and adapted to my situation.

Certbot or Let's Encrypt is not natively compiled in Raspbian. So we will have to install it manually. First, install GIT:
sudo apt-get install git

Next get a clone of Let's Encrypt.
sudo git clone https://github.com/certbot/certbot /etc/letsencrypt

Now we're going to get those certificates. I run a single domain on my server, ljm.name The first time you apply for a certificate, you'll get an account. The next time you apply for new certificates, they will just be added to the same account.

For my domain I got 1 certificate: ljm.name
sudo /etc/letsencrypt/certbot-auto certonly --agree-tos --webroot -w /links/www -d ljm.name

Follow the instructions, especially the first time to create the account (by filling out email, password, agree with TOS, etc.).

After succesful validation and installation you should see the message:
Congratulations! Your certificate and chain have been
saved at /etc/letsencrypt/live/mysite.com/fullchain.pem.
Your cert will expire on 2017-05-09.
To obtain a new or tweaked version of this certificate in
the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates,
run "certbot-auto renew"

Create a cronjob to automate certificate renewal
sudo crontab -e
0 6 * * * /etc/letsencrypt/certbot-auto renew --text >> /etc/letsencrypt/certbot/certbot-cron.log

This cron job runs daily, but the certificate is only renewed if it is less than 30 days until expiry.

4.3. Apache

Apache has always been a PITA to configure, and enabling SSL is no exception to that. First, under /etc/apache2/sites-available create a copy of default-ssl and name it ssl.

In ssl I set the following:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /room/sda1/www/html
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
        SSLEngine on
        SSLCertificateFile    /etc/letsencrypt/live/ljm.name/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/ljm.name/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/ljm.name/fullchain.pem
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Make a link in /etc/apache2/sites-enabled reload apache and ...


netstat -an does not give port 443 as LISTEN. No logrecords to help, starting in debug mode doesn't give additonal information, just nothing. So,...

First thing is to enable the apache ssl-module. The fact that this module is a standard part of the distribution, and that Apache recomends using SSL doesn't mean that the ssl module is enabled by default. Sigh..
a2enmod ssl

reload apache and ...


Remove 000-default Areload apache and suddenly it starts working. However, now my http site is gone. ls -s ../sites-available/default http solves that problem. Apparently, 000-default prevents other sites from being enabled.