gohugo behind apache with letsencrypt
11/Nov 2016
Introduction
So I learn’t pretty quickly that running ssl cert termination on an AWS ELB was not that smart from a cost perspective.
Pre req’s:-
- Ubuntu 16.04+
- Running Apache2
- Certbot installed using instructions at Certbot EFF
The http apache virtualhost config
Before you start you will need to have a config setup similar to this:-
NameVirtualHost *:80
<VirtualHost *:80>
ServerName myblog.com
ServerAlias www.myblog.com
ProxyPreserveHost On
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ErrorLog ${APACHE_LOG_DIR}/myblog-error.log
CustomLog ${APACHE_LOG_DIR}/myblog-access.log combined
</VirtualHost>
The proxy pass is needed to forward to the locally running gohugo service which you can run on any port you have assigned.
Run Let’s Encrypt
The instructions are very simple. Make sure letsencrypt apache agent is installed:-
Run the letsencrypt agent:-
```$ letsencrypt --apache```
The agent setup is a shell wizard that is easy enough to follow through. Make sure you use a real email address for recovery keys if needed. I would honestly recommend backing up ```$ /etc/letsencrypt``` as often as possible.
Check your new cert configuration from your browser and you should see something like this:-
Certificate Subject www.myblog.com SAN myblog.com www.myblog.com Valid From Tue, 08 Nov 2016 19:09:00 GMT Valid Until Mon, 06 Feb 2017 19:09:00 GMT Issuer Let’s Encrypt Authority X3 SCTs 0 SCTs
## Renewals
You can test a renewal by issuing the following command:-
```$ letsencrypt renew --dry-run --agree-tos```
If that renewal works correctly you should see a message explaining similar to the following:-
Processing /etc/letsencrypt/renewal/www.myblog.com.conf ** DRY RUN: simulating ‘letsencrypt renew’ close to cert expiry ** (The test certificates below have not been saved.) ```
Assuming that looks ok, we can setup a cron job like so:-
$ crontab -e
01 8,20 * * * /usr/bin/letsencrypt renew >> /var/log/myblog-le-renew.log
This means run 1 minute past the hour at 8am and 8pm 365.
Conclusion
Free, automated and professional ssl certs. Thanks for stopping by.