Proper SSL using

Now that entered public beta, I took the opportunity to use their fantastic service and deploy a new site certificate for and the other sites hosted on this platform.

The letsencrypt client was a bit confusing first but after I understood what the ACME protocol actually means, I saw the entire beauty behind this solution. So I did a quick review of the code in Github and shortly after I requested the first certificate. As I already have an Apache server running and don’t need the embedded web server stuff provided by the letsencrypt client, I only use the CSR and certificate download part of the client.

After a while I figured out how to request proper alternate subject names as well and was finally able to secure all the services running on with only a single certificate deployed to my Apache.

To request/renew a certificate for different hosts/domains, you basically just do:

letsencrypt-auto certonly \
--webroot \
--renew-by-default \
-w /home/to/htdocs/ \
-d \
-d \
-d \
-w /home/to/htdocs/anothersite/ \
-d \

I also took the chance to improve the SSL configuration of my Apache web server considering recommendations from SSLLabs

After an upgrade to Apache 2.4.18, generating a proper DH parameter file and append it to the letsencrypt certificate chain, SSLLabs rates us with an A+.


Apache 2.4 SSL configuration (ssl-global.conf) 

# Added dhparams to fullchain.pem
# If you have different certificates per vhost, 
# add these to your vhost config instead
SSLCertificateFile /etc/letsencrypt/live/xxxx/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxxx/privkey.pem

SSLHonorCipherOrder     on

SSLProtocol All -SSLv2 -SSLv3


SNI enabled virtual host configuration

<VirtualHost *:443>
  SSLEngine On

  # Strict Transport Security per virtual host
  <IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

Rolf Klemenz