4. Change to SSL

4.1. Intro

At some point in time, you will want to upgrade your web server to SSL. This is how I did it.

4.2. Let's encrypt

The certificate-part is taken from https://www.pestmeester.nl/index.html#10.0 and adapted to my situation.

Certbot or Let's Encrypt is not natively compiled in Raspbian. So we will have to install it manually. First, install GIT:

sudo apt-get install git

Next get a clone of Let's Encrypt.

sudo git clone https://github.com/certbot/certbot /etc/letsencrypt

Now we're going to get those certificates. I run a single domain on my server, ljm.name The first time you apply for a certificate, you'll get an account. The next time you apply for new certificates, they will just be added to the same account.

For my domain I got 1 certificate: ljm.name

sudo /etc/letsencrypt/certbot-auto certonly --agree-tos --webroot -w /links/www -d ljm.name

Follow the instructions, especially the first time to create the account (by filling out email, password, agree with TOS, etc.).

After successful validation and installation you should see the message:

Congratulations! Your certificate and chain have been
saved at /etc/letsencrypt/live/mysite.com/fullchain.pem.
Your cert will expire on 2017-05-09.
To obtain a new or tweaked version of this certificate in
the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates,
run "certbot-auto renew"

Create a cronjob to automate certificate renewal

sudo crontab -e
0 6 * * * /etc/letsencrypt/certbot-auto renew --text >> /etc/letsencrypt/certbot/certbot-cron.log

This cron job runs daily, but the certificate is only renewed if it is less than 30 days until expiry.

4.3. Apache

Apache has always been a PITA to configure, and enabling SSL is no exception to that. First, under /etc/apache2/sites-available create a copy of default-ssl and name it ssl.

In ssl I set the following:

        ServerAdmin webmaster@localhost

        DocumentRoot /room/sda1/www/html
                Options FollowSymLinks
                AllowOverride None
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        ErrorLog ${APACHE_LOG_DIR}/error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
        SSLEngine on

        SSLCertificateFile    /etc/letsencrypt/live/ljm.name/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/ljm.name/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/ljm.name/fullchain.pem
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Make a link in /etc/apache2/sites-enabled reload apache and ...


netstat -an does not give port 443 as LISTEN. No log records to help, starting in debug mode doesn't give additional information, just nothing. So,...

First thing is to enable the apache SSL module. The fact that this module is a standard part of the distribution, and that Apache recommends using SSL doesn't mean that the SSL module is enabled by default. Sigh..

a2enmod ssl

reload apache and ...


Remove 000-default Reload apache and suddenly it starts working. However, now my http site is gone. ls -s ../sites-available/default http solves that problem. Apparently, 000-default prevents other sites from being enabled.

4.4. note

Raspberry Pi is a trademark of the Raspberry Pi Foundation.