Letsencrypt, Apache2, Plone and SSL

These are notes for my future self. I'm mostly using nginx now, but I have an Apache server here and there. I also have a post on configuring letsencrypt SSL with nginx.

Update ( Nov 9, 2016): added more information on preparing the /var/www/letsencrypt directory and rearranged assumptions into a numbered list.

Assumptions

My assumptions are as follows:

1. This is a Plone site which uses a proxypass style rewriterule.
2.  The site is located at the root of your Zope application server and it is called "Plone" so localhost:8080/Plone
3. You're using letsencrypt with certbot to generate SSL certificates.
4.  Your .well-known folder (used by letsencrypt) will be located at /var/www/letsencrypt.

Before you start create the /var/www/letsencrypt directory

The following command works on Debian/Ubuntu type servers:

sudo mkdir -p /var/www/letsencrypt
chown www-data:www-data  /var/www/letsencrypt

If you're on RedHat or CentOs you'll want to change the owner (chown) to 'apache' or 'nobody'.

The implementation

With these things in place I found that I needed to precede my standard Plone rewrite rules with a rewrite rule to serve the contents of the letsencrypt .well-known folder. In the examples below my site is running on port 8080, this may be different for you.

Add this so that you an successfully request an SSL certificate via letsencrypt over http.

RewriteRule ^/\.well-known/(.*) /var/www/letsencrypt/.well-known/$1 [L]
RewriteRule ^/(.*) \       http://localhost:8080/VirtualHostBase/http/{HTTP_HOST}:80/Plone/VirtualHostRoot/$1 [L,P]

Add this AFTER you have a working SSL certificate installed and you're already serving stuff over https (see below)

RewriteRule ^/\.well-known/(.*) /var/www/letsencrypt/.well-known/$1 [L]
RewriteRule ^/(.*) \       http://localhost:8080/VirtualHostBase/https/{HTTP_HOST}:443/Plone/VirtualHostRoot/$1 [L,P]

Installing a certificate

Assuming you've done everything above, you can install a certificate from letsencrypt with the following instructions:

Step 1 - Install Certbot

The part of the documentation that I read was silent about where to put the certbot-auto script. I decided to install certbot-auto in /usr/local/sbin, this means that it is in the system path and can be run as a command by itself (which feels nicer than needing to be in the folder when running the script).

cd /usr/local/sbin/
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto

Step 2 - Request a certificate against the /var/www/letsencrypt 

Now you can easily request a certificate.

Note the use of --webroot in the command below, this ensures that the challenge information is added to the /var/www/letsencrypt folder. Also, I precede the command with sudo because installation of the actual certificates requires admin privileges.

sudo certbot-auto certonly --webroot -w /var/www/letsencrypt -d myproject.example.com

Expected response
If everything was done properly you'll get a message like this:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/myproject.example.com/fullchain.pem.
   Your cert will expire on 2016-11-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

Step 3 - Configuring Auto-renewal of certificates

Once setup properly the auto renewal steps that I took were near identical to the documentation.
I first tested to see that an auto renewal would work without issue:

certbot-auto renew --dry-run

Once the dry run was succesfull I added a renewal command as a cronjob using the crontab -e command:

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
@monthly certbot-auto renew --quiet --no-self-upgrade

Additional notes

I've read places that say that mod_alias always get's precedence over mod_rewrite, so I tried to achieve this using mod_alias initially. That didn't work for me so I settled on this approach.