Joe Barrett - Feb. 3, 2017, 12:22 a.m.
Assuming that you are already running a Django app with Apache and mod_wsgi, this is a quick little tutorial on how to set up a free SSL with Let's Encrypt.
Hop in to your server, in this example I will be using SSH.
$ ssh your_server_address
Next, you want to update your software packages:
$ sudo apt-get update && sudo apt-get upgrade
If Apache is not yet installed:
$ sudo apt-get install apache2
SSL module activation on Ubuntu is nice and straightforward:
$ sudo a2enmod ssl $ sudo a2ensite default-ssl.conf $ sudo service apache2 restart
Visitors can now access your domain name via HTTPS protocol. BUT, because your server self-signed certificate is not issued by a trusted certificate authority an error alert would be displayed on their browsers.
https://example.com
Now, we are going to install the free Let's Encrypt client. If you don't already have git installed:
$ sudo apt-get install git
Next, choose a directory where you want to clone the Let's Encrypt git repository. In this tutorial we will use /usr/local/ directory as the installation path for Let's Encrypt.
$ cd /usr/local $ sudo git clone https://github.com/letsencrypt/letsencrypt
Now we are going to generate your free SSL cert for Apache:
$ cd /usr/local/letsencrypt $ sudo ./letsencrypt-auto --apache -d example.com -d www.example.com
Agree the license, enter an email address for recovery and choose whether clients can browse your domain using both HTTP protocols (secure and insecure) or redirect all non-secure requests to HTTPS. After the installation process finishes successfully a congratulation message is displayed on your console informing you about the expiration date and how you can test the configuration.
Now you should be able to find your certificate files at /etc/letsencrypt/live directory with a simple directory listing.
You can now verify the status of your cert here, changing the link to include your domain:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest
By default, SSL certs issued by Let's Encrypt are only valid for 90 days. In order to renew the certificate before the expiration date you must manually run the client again using the exact flags and parameters as earlier.
$ sudo ./letsencrypt-auto --apache -d example.com -d www.example.com
The certificate renewal process can be automated to run in less than 30 days before the expiration date by using Linux schedule cron daemon.
$ sudo crontab -e
Add the following command at the end of the crontab file using one line only:
0 1 1 */2 * cd /usr/local/letsencrypt && ./letsencrypt-auto certonly --apache --renew-by-default --apache -d example.com -d www.example.com >> /var/log/example.com-renew.log 2>&1
At this point, you may notice that your https domain is only listing out your folder structure. In order to fix this issue, we need to move your :80 virtualhost settings over to your :443 settings.
$ cd /etc/apache2/sites-available $ sudo vi 000-default.conf
Your .conf file should look something like this:
Alias /static /var/www/html/static
<Directory /var/www/html/static>
Require all granted
</Directory>
Alias /uploads /var/www/html/uploads
<Directory /var/www/html/uploads>
Require all granted
</Directory>
<Directory /var/www/html/app_name>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess app_name python-path=/var/www/html:/var/www/html/virtualenv/lib/python2.7/site-packages
WSGIProcessGroup app_name
WSGIScriptAlias / /var/www/html/app_name/wsgi.py
You just want to remove this from 000-default.conf and place it into your default-ssl.conf:
$ sudo vi /etc/apache2/sites-available/default-ssl.conf
Once you your django wsgi settings all moved over to your ssl conf, you need to make sure they are removed from your 000-default.conf. I reccomend using the following for your default conf. This will allow the automatic redirect from http to https.
<VirtualHost *:80>
ServerAdmin webmaster@example.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# This is optional, in case you want to redirect people
# from http to https automatically.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example\.com
RewriteRule ^(.*)$ https://www.example.com$1 [R=permanent,L]
RewriteCond %{HTTP_HOST} ^www\.example\.com
RewriteRule ^(.*)$ https://www.example.com$1 [R=permanent,L]
</VirtualHost>
Last but not least you will want to restart your apache server to take all the new changes:
$ sudo service apache2 restart
Now check your site again, without including https off the bat - it should redirect directly to https - and you are now secure!