gohugo behind apache with letsencrypt

Introduction

So I learn’t pretty quickly that running ssl cert termination on an AWS ELB was not that smart from a cost perspective.

Pre req’s:-

  • Ubuntu 16.04+
  • Running Apache2
  • Certbot installed using instructions at Certbot EFF

The http apache virtualhost config

Before you start you will need to have a config setup similar to this:-

NameVirtualHost *:80
<VirtualHost *:80>
    ServerName myblog.com
    ServerAlias www.myblog.com
    ProxyPreserveHost On
    <Proxy *>
        AddDefaultCharset Off
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    ErrorLog ${APACHE_LOG_DIR}/myblog-error.log
    CustomLog ${APACHE_LOG_DIR}/myblog-access.log combined
</VirtualHost>

The proxy pass is needed to forward to the locally running gohugo service which you can run on any port you have assigned.

Run Let’s Encrypt

The instructions are very simple. Make sure letsencrypt apache agent is installed:-

$ sudo apt-get install python-letsencrypt-apache

Run the letsencrypt agent:-

$ letsencrypt --apache

The agent setup is a shell wizard that is easy enough to follow through. Make sure you use a real email address for recovery keys if needed. I would honestly recommend backing up $ /etc/letsencrypt as often as possible.

Check your new cert configuration from your browser and you should see something like this:-

Certificate
Subject
www.myblog.com
SAN
myblog.com
www.myblog.com
Valid From
Tue, 08 Nov 2016 19:09:00 GMT
Valid Until
Mon, 06 Feb 2017 19:09:00 GMT
Issuer
Let's Encrypt Authority X3
SCTs
0 SCTs

Renewals

You can test a renewal by issuing the following command:-

$ letsencrypt renew --dry-run --agree-tos

If that renewal works correctly you should see a message explaining similar to the following:-

Processing /etc/letsencrypt/renewal/www.myblog.com.conf
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
**          (The test certificates below have not been saved.)

Assuming that looks ok, we can setup a cron job like so:-

$ crontab -e

01 8,20 * * * /usr/bin/letsencrypt renew >> /var/log/myblog-le-renew.log

This means run 1 minute past the hour at 8am and 8pm 365.

Conclusion

Free, automated and professional ssl certs. Thanks for stopping by.