Install https SSL Let'sEncrypt di VPS Ubuntu 20.04 Apache
Tutorial ini menggunakan VPS dengan OS ubuntu 20.04 dan web server apache2
Silakan akses VPS menggunakan ssh
ssh root@xxx.xxx.xxx.xxx
apabila menjalankan firewall silakan buka dulu port 443
sudo ufw allow 443
Update repository
sudo apt install software-properties-common
sudo add-apt-repository universe
sudo apt update
Install cerbot
sudo apt install certbot python3-certbot-apache
Mengaktifkan sertifikat SSL
Ada beberapa cara mendapatkan sertifikat SSL, untuk Apache dapat menggunakan pluggin
ketik
sudo certbot --apache
maka akan tampil beberapa pertanyaan, pertama akan diminta alamat email untuk pemberitahuan pembaruan dan keamanan
Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): emailmu@domain.comKemudian tekan Enter, selanjutnya akan tampil perjanjian ketentuan A = Setuju, C = membatalkan instalasi
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: ASelanjutnya pertanyaan apakah akan membagikan email ke EFF? ketik Y apabila ingin berlangganan konten dari EFF, ketik N apabila tidak ingin berlangganan (pilihan ini tidak harus Y, jadi bisa dipilih N)
Output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Nakan tampil pilih domain yang ingin diaktifkan HTTPS, ketik angka untuk memilih, apabila ada beberapa domain gunakan koma atau spasi untuk pilihan nomor atau biarkan kosong saja apabila ingin mengaktifkan semua domain
Output: Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: webdomainyangdimiliki.com 2: www.webdomainyangdimiliki.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
akan tampil seperti ini:
Output: Obtaining a new certificate Performing the following challenges: http-01 challenge for webdomainyangdimiliki.com
http-01 challenge for www.webdomainyangdimiliki.com
Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/webdomainyangdimiliki.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/webdomainyangdimiliki.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/webdomainyangdimiliki.com-le-ssl.conf
Pertanyaan selanjutnya apakah trafik HTTP akan dialihkan ke HTTPS apa tidak. Ketik angka 1 apabila tidak ingin mengalihkan, ketik angka 2 agar otomatis dialihkan.
Output:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2Proses pengaktifan SSL
Output: Redirecting vhost in /etc/apache2/sites-enabled/webdomainyangdimiliki.com.conf to ssl vhost in /etc/apache2/sites-available/domain.com-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://webdomainyangdimiliki.com
You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=webdomainyangdimiliki.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/webdomainyangdimiliki.com/fullchain.pem
Your key file has been saved at: /etc/letsencrypt/live/webdomainyangdimiliki.com/privkey.pem
Your cert will expire on 2021-09-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
SSL sudah terpasang, selanjutnya silakan coba akses web
https://webdomainyangdimiliki.com
Mengetahui pembaruan Otomatis SSL
SSL yang diberikan Let's Encrypt hanya berlaku untuk 90 hari, maka perlu diperbarui setiap periode tersebut. Dalam paket cerbot sudah ada script pembaruan otomatis dalam cron job. Untuk mengecek silakan eksekusi:
sudo systemctl status certbot.timer
Output:
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Thu 2021-06-25 14:31:00 UTC; 0h 27min ago
Trigger: Fri 2021-06-25 23:12:41 UTC; 1h 12min left
Triggers: ● certbot.serviceProse pembaruan dapat di uji coba dengan perintah
sudo certbot renew --dry-run
Apabila tidak ada pesan kesalahan maka SSL sudah aktif dalam domain anda, silakan cek email untuk memantau pemberitahuan apabila ada masalah kendala dari proses cerbot.
Komentar
Posting Komentar