Install/Update LetsEncrypt certificates (no-root, apache2, debian)

It seems that the certbot, the recommended script to install and update the LetsEncrypt certificates requires root permissions. Well, I found several tutorials and forums where people claimed that they ran it without root permissions but they all said they needed root permissions to do something else for certbot to work and then I ran this simple command:

$ ./certbot-auto --help
Requesting to rerun ./certbot-auto with root privileges...
[sudo] password for eleni:

and decided to give up and search for an alternative method. 🙂

So, here’s what I finally did (Disclaimer: I am not really into security or system administration so, I don’t know if this method is the best or the most secure out there but I’ve found it quite simple and I liked that it doesn’t require weird package installations, root permissions, systemd or any other “easy”, “automated” params that create paths and files everywhere. At the end you will end up with only one directory where you can find your certificates and copy them where you like.):

Step 1: downloaded the acme.sh

I cloned the acme.sh script from github:

git clone https://github.com/Neilpang/acme.sh.git

Step 2: issued the certificates

I issued my certificates using the acme.sh script:

cd acme.sh/
./acme.sh --issue -d <domain> -w <path>
  • <domain> is the domain name for the site (for example for this site it could be eleni.mutantstargoat.com if I wanted to use the certificates on my vhost or mutantstargoat.com if I wanted to use it everywhere)
  • <path> is the path to the site content (it could be ~/public_html for example)

Then the acme.sh script created a directory ~/.acme.sh/ with the following contents:

.
├── account.conf
├── ca
│   └── acme-v01.api.letsencrypt.org
│   ├── account.json
│   ├── account.key
│   └── ca.conf
├── <your_site_domain>
│   ├── ca.cer
│   ├── <domain>.cer
│   ├── <domain>.conf
│   ├── <domain>.csr
│   ├── <domain>.csr.conf
│   ├── <domain>.key
│   └── fullchain.cer
└── http.header

Step 2: certificates installation

I’ve created a certificates/ directory in my home folder and ran the following command to install the certificates in ~/certificates/:

$ ./acme.sh --install-cert -d <domain> --cert-file ~/certificates/cert.pem --key-file ~/certificates/key.pem --fullchain-file ~/certificates/fullchain.pem

I ended up having these 3 files:

certificates/
├── cert.pem
├── fullchain.pem
└── key.pem

Step 4: apache configuration

The Apache webserver has a sites-enabled/website file in /etc/apache2 where I had a VirtualHost configuration similar to this one:

<VirtualHost *:80>
  ServerAdmin me@domain
  DocumentRoot /home/user/public_html
  ServerName domain
  [...]

I enabled ssl and the mod_headers (the command must have been something like: a2enmod mod_ssl mod_headers) and I added a second virtualhost for 443:

<VirtualHost *:443>
  SSLEngine on
  SSLCertificateFile /etc/apache2/certificates/cert.pem
  SSLCertificateKeyFile /etc/apache2/certificates/key.pem
  SSLCertificateChainFile /etc/apache2/certificates/fullchain.pem
  # HSTS (mod_headers is required) (15768000 seconds = 6 months)
  Header always set Strict-Transport-Security "max-age=15768000"
  DocumentRoot /home/user/public_html
  ServerName your_domain
  [...] other settings I had in the non-ssl VirtualHost configuration

I copied the ~/certificates/ to /etc/apache2/certificates (that’s why the path is not ~/certificates above, you should use the path to your certificates directory)

Restarted Apache!

Step 5: how I renew the certificates

acme.sh can take an argument to renew the certificates (see acme.sh README for that), but I just repeat the process and copy the new certificates to my apache certificates directory every 3 months.

And that’s it. 🙂