Long, long ago, I wrote about StartSSL. It was actually one of my first blog posts. After using the StartSSL (StartCom) service without issue for over two years, it appears that their root authority has been revoked making their free service virtually useless. I had to find an alternative.
After some brief searching, I found EFF’s Let’s Encrypt. Their service is interesting in that their certificates are only good for 90 days, but they provide a utility called “certbot” for automatic renewal and deployment of certificates. This sounded pretty intriguing to me, and since StartCom was a bust, I gave it a whirl. It works really well.
First, since I use Linux Mint, I had to download the certbot script and let it install all of the necessary dependencies.
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
After that, the certbot-auto script must be run to install a certificate.
./certbot-auto --apache certonly
I immediately ran into an issue since I have multiple VirutalHosts specified in a single Apache site configuration.
My initial reaction was, of course, frustration. Nothing is ever quite as easy as one would hope. Fortunately, I knew I could simply split my VirtualHosts into separate configuration files/sites and then use “a2ensite” to enable them. After I did that, certbot-auto ran without a hitch. It also gave me the option to utilize the rewrite module to enforce HTTPS. I let it add a rule even though I already had a rewrite rule in place to handle this.
Now, the only thing remaining is to setup a cron job to renew the certificates every 80 days or so. I haven’t added that bit of configuration yet, but I am very pleased with this free service. Give it a try!