This is an extra guide in addition to configuring Ubuntu server to run Apache2, PHP, MySQL. Instead of Let’s Encrypt, we are using a paid DV SSL certificate. CA browser forum has made it mandatory to yearly replace (read the PDF here) the SSL/TLS certificate to any avoid security breach. So, even a webmaster purchases an SSL/TLS certificate for 2-5 years, the annual work is mandatory. This yearly work is a burden to the webmasters of unmanaged servers. This article will provide you a-kind-of-help to make the workflow smooth and error-free.
We are taking it granted that your site configuration files are kept at :
1 | /etc/apache2/sites-available |
and SSL certificates are kept at :
---
1 | /etc/ssl/private |
If you have followed our guides to install and configure WordPress, then your Apache2 site configuration file will have the below lines:
1 2 3 4 5 | ... SSLCertificateFile /etc/ssl/private/public2022.crt SSLCertificateKeyFile /etc/ssl/private/private.key SSLCertificateChainFile /etc/ssl/private/intermediate2022.crt ... |
Step one : Click to start the renewal process in browser
This should be the first step every year when you’ll renew the certificate. We will suggest starting the process at least a week before the expiration. You’ll receive one email to confirm/allow the renewal/reissue, and another email will have three certificates in .crt format – one certificate is for your domain, and another is an intermediate certificate. We will not need the third certificate (root certificate).
You can not order till you reach the next step since you’ll need the .csr file again. In the case of a commercial setup, changing the private key and CSR is practical. This much security is not required for an ordinary personal website i.e. you can re-use the old private key and old CSR key. Remember that this is not recommended by the security experts but it saves time for low-risk servers. So, you are just copy-pasting the .csr file to obtain the new certificate.
Step two : SSH and navigate to the location of the SSL certificate files
cd to the location where you have kept your SSL certificates:
1 | cd /etc/ssl/private/ |
Keep the old and new certificates in a meaningful, organized manner in this directory. I usually keep the certificates in this way:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | 4096 Oct 2 08:05 . 4096 Nov 25 2018 .. 1102 Aug 5 2018 2018.csr 769 May 28 2017 dhparams_4096.pem 1724 Jun 7 2017 inter.crt 1692 Aug 5 2018 intermediate2018.crt 1688 Sep 3 2018 intermediate2020.crt 1903 Sep 5 2020 intermediate2021.crt 1905 Oct 2 08:05 intermediate2022.crt 1733 May 28 2017 intermediate.crt 1724 Jun 7 2017 inter.pem 1704 May 28 2017 private.key 2097 Aug 5 2018 public2018.crt 2253 Sep 3 2018 public2020.crt 2229 Sep 5 2020 public2021.crt 2376 Oct 2 08:04 public2022.crt 2270 May 28 2017 public.crt 1444 Jun 7 2017 root.crt 3168 Jun 7 2017 root-intermediate.crt 3168 Jun 7 2017 root-intermediate.pem 1444 Jun 7 2017 root.pem 1704 May 28 2017 ssl-cert-snakeoil.key 5030 Aug 5 2018 test-intermediate.pem |
Step three : Create empty files and paste the content of each certificate
If you are using Microsoft Windows and Ubuntu Bash to SSH to the server, then you can easily copy-paste the content of the browser/computer to the SSH screen.
1 2 3 4 | nano public2023.crt # paste the content nano intermediate2023.crt # paste the content |
Step four : Edit the Apache2 configuration file
You have to edit the file names in the site configuration file, in our example, the configuration files are located at /etc/apache2/sites-available, you’ll need to change only two lines, you do not need to change the private key:
1 2 3 4 5 | ... SSLCertificateFile /etc/ssl/private/public2022.crt SSLCertificateKeyFile /etc/ssl/private/private.key SSLCertificateChainFile /etc/ssl/private/intermediate2022.crt ... |
Run a config test :
1 | apachectl -t |
and restart Apache:
1 | service apache2 restart |
and finally reboot the instance:
1 | reboot |
A reboot will erase any caching by the running operating system. Remember to do the above steps for your www sub-domain as well (when you are using a naked domain like us).
Step five : Test
Load your website and check the expiry date. We need to check the certificate chain and formally run a full test:
1 2 3 4 5 6 7 8 | https://www.geocerts.com/ssl-checker https://www.thesslstore.com/ssltools/ssl-checker.php https://www.sslshopper.com/ssl-checker.html https://observatory.mozilla.org/ https://gf.dev/tls-scanner https://www.wormly.com/test_ssl https://www.ssllabs.com/ssltest/ https://tls.imirhil.fr/ |
You have to do this every year, so if you have not kept things easy, make it easy to remember now.
