DRAFT - not finished

This guide shows how to create a Let's Encrypt certificate using certbot and hwo to use the cert with Apache2 on Raspberry Pi running raspbian.

I have yet to figure out how to use Let's Encrypt or certbot effectively for my home web server.

Let's Encrypt is a free Certificate Authority, which is great. certbot, or any ACME client, makes the whole process of getting a cert and renewing the cert easy.

However, as of 19APR2020, Let's Encrypt does not support client-side certs.

Within most large business and data centers, client-side certs are used to allow two devices to communicate securely. For example, two servers communicating via an API should use a cert, unless the information is for public consumption. Certs are regularly used between servers behind a DMZ, and between the DMZ and the servers the DMZ is protecting.

In addition to certs, a security layer may be added by requiring username and password.

I use certs on my Home Automation web server to prevent unauthorized access. I put the client-side certs on my family's phones

I read a blog saying Let's Encrypt supports client-side certs; it does not.

The reason Let's Encrypt does not support client-side certs seems incorrect because other Certificate Authorities support client-side certs.

Step 1. Open Terminal Window and Login

Step 2. Always update and upgrade before installing anything

Step 3. Install certbot

Let's Encrypt is a Certificate Authority providing free TLS certificates. The following commands enable Let's Encrypt certs to be used with Apache and certbot enables cert management

$ sudo apt-get install python-certbot-apache -y

$ sudo apt-get install certbot -y

Step 4. Dynamic DNS

Let's Encrypt certs only work with some Dynamic DNS providers and it requires a DNS name and not an IP address to generate a cert.

See this step to create a Dynamic DNS name. From this step, record the following:

♣dynamic-dns-name♣

Step 5. Run certbot and create cert

On the Raspberry Pi run:

$ certbot --apache

and when queried, respond with:

♣dynamic-dns-name♣.duckdns.org

Choose option 2

*** STOPPED HERE ***

Step 8. Automatically renew cert - this seems to be already installed see /etc/cron.d/certbot

certbot certs expire every 90 days.

Add this to

sudo crontab -e

# renew cert and restart apache2

* 3 * * 6 certbot renew && systemctl restart apache2.service

Test if cert can be renewed

sudo certbot renew --dry-run

sudo certbot certonly -d ♣dynamic-dns-name♣.duckdns.org

crontab to renew cert

/etc/cron.d/certbot

Notes:

Your certificate and chain have been saved at:

/etc/letsencrypt/live/♣dynamic-dns-name♣.duckdns.org/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/♣dynamic-dns-name♣.duckdns.org/privkey.pem

Other useful information about certificates:

certbot documents

PiMyLifeUp Raspberry Pi SSL Certificates using Let’s Encrypt

Let's Encrypt Documents

Raspbian CertBot Instructions