Home
Non-daily weblog
Exchange | Board
Files for download
Workshop tutorials
W3 Directory resourcesSetup & config options
Suitable power supply
RasPi & sFTP file transfer
Home network print server
Home network scan server
Mesh : home Lan USB drive
Explore hard & software
UFW firewall explained
Secured by fail2ban server
Software packaging & PPA
Apache 2.4+ LAMP server
https web server : port 443
Varnish caching proxy
Module : cgi & perl
Module : geoip
Modules : php & mysql
http*s error handling
Server : conditional logging
TL-domain & dynamic DNS
Webalizer log analyser
Defeat referrer spam
robots.txt & xml sitemaps
Server : .htaccess handling
The game & not the islands
Setup & config options
North Atlantic : Macaronésia
Nine Azorean islands
Madeiran archipelago
POI on Madeira island
Streaming media
Contact details
Privacy policy & terms
Host traffic elicitation🚫 No ads & tracking
The prologue
Most of the articles, descriptions and instructions written here are applicable to the most common Debian-based Linux derivatives. Depending on the respective operating system, there may be minor or major discrepancies. 
This website is for educational purposes only. Please do not deploy anything in manufacturing plants.
No warranty or compensation is given for loss of data or hardware.
It should be also mentioned that this modest web server is hosted on a Raspberry Pi type 4B at home.
The Raspberry Pi mini-computer board as multi-purpose server deployed
A competent allrounder for domestic purposes and micro-enterprises
Raspberry Pi is a series of small single-board computers (SBCs) developed in the United Kingdom by the Raspberry Pi Foundation in association with Broadcom. The mini-computer with its armv7l processor has quickly become the favourite of hobbyists. Projects can be started with suitable Linux distributions. Even an aged RasPi e.g. the models 2B and 2B+ can definitely serve to simple tasks quite well.
LetsEncrypt still cannot renew HTTPS certificates via HTTPS, and continues to require port 80.
That is one special reason to keep port 80 open for now.
How to create and manage LetsEncrypt SSL / TLS certificates with »certbot«
Prologue and requirements
LetsEncrypt is an automated and open certificate authority (CA) run by the Internet Security Research Group (ISRG) and founded by the Electronic Frontier Foundation (EFF), the Mozilla Foundation and others. It provides free SSL/TLS certificates commonly used to encrypt communications for security and privacy purposes, the most notable use case being HTTPS.
In this scenario, it is assumed that an Apache v2.4+ web server is already in use on port 80 and that the user has his own internet domain.
That means, a registered domain name with an 
https://dnslytics.com/domain/dosboot.org »A record« that points to your dynamic or static IPv4 address. As an example, »yourdomain.tld« is used. Furthermore access to a privileged shell (as sudo user in terminal for SSH communication) within your home LAN / WLAN mesh network between client and host either by PuTTY, Tilix or whatever you are preferring.
Port settings in the LAN / WLAN mesh for the router or modem : open the ports for 80/TCP (http) and 443/TCP (https). Unfortunately, I cannot give any instructions here, as there are too many different models of modems and routers worldwide.
»Uncomplicated Firewall« ufw firewall explained : If applicable, to allow all incoming https (port 443) connections run these commands.
user@raspberry:~ $ sudo su
root@raspberry:~# ufw allow 80/tcp
root@raspberry:~# ufw allow 443/tcp
root@raspberry:~# ufw reload
Create a folder named ».well-known« under »/var/www/html«
root@raspberry:~# cd /var/www/html
root@raspberry:~# mkdir .well-known
Install the »snapd« package from the official Linux repositories
This is the recommended way by LetsEncrypt to install the »certbot«. If not has been done before : the »snapd« can be installed from the command line. Reboot your system to ensure snap’s paths are updated correctly.
user@raspberry:~ $ sudo su
root@raspberry:~# ▁
root@raspberry:~# apt install snapd
After a reboot :
root@raspberry:~# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Linux $PATH responds with : separators between entries.
If it has more entries than the above, then it is probably OK.
Install »certbot« for Linux from the official »Snap Store«
The preferred installation routine
root@raspberry:~# snap install certbot --classic
That's it for the first time. https://snapcraft.io/certbot
The »certbot« is now installed and ready to do its business.
Prepare the »certbot« while the web server is running on port 80/TCP
Execute the following instruction in the terminal to ensure that the certbot command can be run with a web server that's already using the port 80/TCP and don't want to stop it while »certbot« runs, run the second command and follow the instructions in the terminal.
root@raspberry:~# ln -s /snap/bin/certbot /usr/bin/certbot
ln: failed to create symbolic link '/usr/bin/certbot': File exists
Use for the certification your personal »yourdomain.tld« without the »www«.
root@raspberry:~# certbot certonly --webroot
Enable Apache's modules to »SSL«, »header«, »rewrite«
»SEO« | »Search Engine Optimization« with SSL and HTTP/2
root@raspberry:~# a2enmod ssl
root@raspberry:~# a2enmod headers
root@raspberry:~# a2enmod rewrite
root@raspberry:~# a2enmod http2
Test the new configuration and afterwards restart the server.
root@raspberry:~# apache2ctl configtest
root@raspberry:~# systemctl restart apache2
Syntax OK
Check the configured settings to the ports 80/TCP and 443/TCP
root@raspberry:~# cd /etc/apache2/sites-available
root@Dosboot:/etc/apache2/sites-available# a2ensite *
Site 000-default already enabled
Site 000-default-le-ssl already enabled
Site default-ssl already enabled
root@raspberry:~# apache2ctl -M
...
headers_module (shared)
http_module (static)
http2_module (shared)
...
rewrite_module (shared)
...
ssl_module (shared)
...
Enable either or both »TLS 1.1« and »TLS 1.2«
About »a2enmod http2«.
root@raspberry:~# a2enmod http2
Hypertext Transfer Protocol version 2 (HTTP/2) is the latest version of the HTTP protocol, published as an IETF standard in RFC 7540 in 2015. The focus of the protocol is on performance, especially end-user perceived latency, network and server resource usage. A key objective is to enable the use of a single connection from browsers to a website.
If you desire to enable either or both »TLS 1.1« and »TLS 1.2« on your web server, you configure your »virtualhost« section as demonstrated below. Benefits from »HTTP/1.2« have the page load speed improvements and the request pipelining.
root@raspberry:~# nano /etc/apache2/sites-available/default-ssl.conf
...
SSLEngine on
Protocols http/1.1 h2 h2c
...
root@raspberry:~# apache2ctl configtest
Syntax OK
root@raspberry:~# systemctl restart apache2
Troubleshooting
Change or - if you found not not having it - that snippet in /etc/apache2/sites-available/000-default.conf
from Protocols h2 http/1.1 to Protocols h2 h2c http/1.1
root@raspberry:~# nano /etc/apache2/sites-available/000-default.conf
root@raspberry:~# systemctl restart apache2
Get confirmed that »certbot« has functioned properly
To confirm that your site is set up properly and funtionally, type https://yourdomain.tld in your browser's URL bar and look for the lock icon in the upper left corner.
How to renew the SSL / TLS certificate issued by LetsEncrypt?
Your SSL certificate has a lifetime period of 90 days.
Note that »certbot« will renew your certificate after 60 days. That's enough with a gap of 30 days.
root@raspberry:~# list-timers
NEXT LEFT LAST
Wed 2021-05-19 01:21:00 CEST 5h 57min left Tue 2021-05-18 16:53:00 CEST
PASSED UNIT ACTIVATES
2h 30min ago snap.certbot.renew.timer snap.certbot.renew.service
How to keep the »certbot« application upto date ?
Quit simple.
root@raspberry:~# snap refresh
root@raspberry:~# snap list
Name Version Rev Tracking Publisher Notes
certbot 1.15.0 1149 latest/stable certbot-eff✓ classic
core 16-2.50 11085 latest/stable canonical✓ core
core20 20210319 976 latest/stable canonical✓ base
14-May 2021
Updated 29-May 2021