Let’s Encrypt Apache With Multiple Virtual Host Files – Version 2

Back in January I wrote an article about using Let’s Encrypt with Multiple Virtual Host Files and now I know a better way to do it. The problem I ran into was the script throwing an error when renewing the certificate.  After a little research the easiest way to get a robust installation is to follow Erika Heidi‘s instructions in How to Set Up Let’s Encrypt Certificates for Multiple Apache Virtual Hosts on Ubuntu 14.04. Now the script to renew the certificate works.

I found two problems that might people trying to implement SSL.

  1. The script kept generating a message saying, “No vhost exists with servername”. for two of my sites. When I looked into my site configuration file I found that I was still using a VirtualHost section to re-direct www.wehuberconsultingllc.com to wehuberconsultingllc.com. The script was upset that I had multiple VirtualHosts for the site. If I added a ServerAlias for the www address in the first VirtualHost section and deleted the extra VirtualHost section from my vhost configuration file, the script would find the site and create the certificate.
  2. When you are managing multiple WordPress sites I like to update the plugins via wordpress.com. The problem is that as soon as I implemented mandatory SSL for a WordPress site, Jetpack was no longer able to fetch plugin status and instead displayed the “error fetching plugins” message. After a lot of fiddling around I figured out that I could fix this problem by going to the Settings-General menu and changing the URL for the blog to https.

Let’s Encrypt Apache With Multiple Virtual Host Files

Over the holidays I converted this site over to use SSL using a free SSL certificate from Let’s Encrypt since the folks at Digital Ocean had written a nice tutorial, How To Secure Apache with Let’s Encrypt on Ubuntu 14.04. The problem was that the installation script partially worked. It created a SSL certificate for multiple hosts but it did not update any of the virtual hosts files. So I had to update the files manually using the template in the /etc/letsencrypt folder. To get an “A” rating from Qualys SSL Server Test I had to download the intermediate certificate https://letsencrypt.org/certificates/. Finally I redirected all of my encrypted traffic to the SSL site. Here is what my Apache host configuration file looks like.

<virtualhost *:80>
ServerName mysite.com 
Redirect / https://mysite.com/ 
</virtualhost>
<virtualhost *:80>
ServerName www.mysite.com 
Redirect permanent / http://mysite.com/ 
</virtualhost>
<virtualhost *:443>
ServerName mysite.com 
DocumentRoot /var/www/html 
ErrorLog ${APACHE_LOG_DIR}/error.log 
CustomLog ${APACHE_LOG_DIR}/access.log combined 
SSLEngine on 
# Intermediate configuration, tweak to your needs 
SSLProtocol all -SSLv2 -SSLv3 
SSLHonorCipherOrder on 
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA 
SSLCompression off 
SSLOptions +StrictRequire 
SSLCertificateFile /etc/letsencrypt/live/mysite.com/fullchain.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem 
SSLCertificateChainFile /etc/letsencrypt/lets-encrypt-x1-cross-signed.pem 
</virtualhost>