How To Secure Apache with Let's Encrypt on macOS Monterey (Add SSL certificates to your website on macOS)
How To Secure Apache with Let's Encrypt on macOS Monterey (Add SSL certificates to your website on macOS)
Jan 24, 2022: There are several ways to obtain SSL certificates for your websites when you host your website on cloud hosting service providers like GoDaddy, Wix, Google Domains, Digital Ocean, or any other provider. But when you host your website like me on an old machine sitting at home and want to secure the website then you will have to either purchase a certificate from a Certificate Authority or create a certificate on your own. For creating a certificate, you need to use any of the certificate issuing applications to make sure you are complying with the standards. Several in the current industry are LetsEncrypt, OpenSSL, etc.,
So, Today we will see how to secure your Apache Web Server using an SSL certificate specifically from Let's Encrypt on a macOS Monterey. I have seen several articles for Ubuntu but never really found anything solid for macOS. I will start with prerequisites and provide a detailed view of how to get the SSL certificates for your website.
Prerequisites:
- Apache configured for your website already (macOS comes with apache by default, you just need to add your website content and configure the hostnames to redirect correctly)
- DNS redirection from your domain provider to your machine
Install Java:
- Download the latest Java from https://www.java.com/en/download/
- run the dmg file, agree to terms and enter your password if prompted
- The dmg file should set all its paths automatically and check if it is installed correctly using the below command
Install homebrew/brew:
If you do not have the brew already installed please install it by entering the following command in your terminal. It may ask for Sudo permissions.
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Once installed you can verify by running
brew doctor
Install Certbot:
You can install certbot using the brew(homebrew) installer which will help us generate certificates for our websites. To install please follow the below commands
brew services stop httpd brew update brew upgrade brew install certbot
Now that the certbot is installed, we need to have some folders created so a non-root certbot installation can access these paths and have the certificate-related files accessible.
mkdir -pv ~/.config/letsencrypt vi ~/.config/letsencrypt/cli.ini
We assume you are experienced with vi editors, if not you are free to use an editor of your choice and save the below paths to it
work-dir = /opt/homebrew/etc/certbot logs-dir = /opt/homebrew/etc/certbot/logs config-dir = /opt/homebrew/etc/certbot/certs
Save the file.
Creating the Certificate using Certbot:
Now we can start with the below command the process of creating a certificate and providing all the inputs.
certbot certonly --standalone
This will prompt you to enter your email address for any renewal-related communication and if you agree to their terms and then it will ask you the domain name.
% sudo certbot certonly --standalone
Saving debug log to /opt/homebrew/etc/certbot/logs/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): kashivivek@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.avsoftsol.com
Requesting a certificate for www.avsoftsol.com
Once you enter it will create a certificate locally and give you a confirmation like below.
Successfully received certificate.
Certificate is saved at: /opt/homebrew/etc/certbot/certs/live/www.avsoftsol.com/fullchain.pem
Key is saved at: /opt/homebrew/etc/certbot/certs/live/www.avsoftsol.com/privkey.pem
This certificate expires on 2022-04-25.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Set up Auto-Renewal of Certbot certificates on the macOS:
Usually, these certificates expire and the expiration date is already provided in the above confirmation. We can set up a cron job to auto-renew these certificates and as we are on macOS please execute the below command.
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
Now a cron job is set on the machine which will take care of the Auto-Renewal part of the certificate.
Configure Apache Server with the SSL configuration:
If you have installed your apache in some other directory rather than using the default, then try to find it accordingly. We have to locate the httpd.conf and make some changes to it. In most scenarios on a macOS, the path would be /etc/apache2/httpd.conf or /usr/local/etc/httpd/httpd.conf.
Find out the right Apache path and Open the file with your choice of editor.
sudo vi /etc/apache2/httpd.conf
We have to uncomment the module socache_shmcb_module, ssl_module, and also the include for the httpd-ssl.conf by removing the # in front of those lines from httpd.conf file.
Next we need to change the default 8443 port to the more standard 443 in the SSL config file:
vi /opt/homebrew/etc/httpd/extra/httpd-ssl.conf
We also need to provide the paths for the certificate and private key which we have just created above in this same httpd-ssl.conf file by finding below
<VirtualHost _default_:8443> # General setup for the virtual host DocumentRoot "/opt/homebrew/var/www" ServerName www.example.com:8443
and changing to below
<VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "/Path/to/Sites" ServerName www.avsoftsol.com:443
Thus, we have finished all the required steps for SSL configuration to the Apache Web Server where our website is hosted.
Verifying the Apache Configuration Syntax:
Now, run the below command to make sure the apache configuration is all done without any errors.
sudo apachectl configtest
As the apache is configured, you can go ahead and restart the httpd or apachectl by running the following commands.
If using default apache2 that comes with macOS then
brew services stop httpd brew services start httpd
If using the apache2 manually installed version then
sudo apachectl start
In the same way, you can repeat the steps for any of the other websites which are hosted on the same Apache Web Server.
Comments
Post a Comment