Setting Up TLS/SSL on a Debian VPS

I am making this page because this process was fucking insane and took me like 2 weeks to figure out.
I wanted to run a VPS to host a website and thought it would be easy. its not lol.

SO... assuming you have just set up a new Debian VPS with apache2
and have figured out your DNS to point a domain to your server....

Turn apache2 off while you do this stuff.

install the following:
sudo apt install -y zip unzip curl wget git socat

Now install acme.sh YOU MUST MODIFY THIS to include your account email!!!
sudo mkdir /etc/letsencrypt
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh 
sudo ./acme.sh --install --home /etc/letsencrypt --accountemail your_email@example.com
cd ~
source ~/.bashrc

Now you can get certificates RSA and ECDSA REPLACE EXAMPLE.COM WITH YOUR DOMAIN:
sudo /etc/letsencrypt/acme.sh --issue --standalone -d example.com --ocsp-must-staple --keylength 2048
sudo /etc/letsencrypt/acme.sh --issue --standalone -d example.com --ocsp-must-staple --keylength ec-256

after you have your keys, make directories to put them in:
sudo mkdir -p /etc/letsencrypt/example.com
sudo mkdir -p /etc/letsencrypt/example.com_ecc

and then install and copy them
again in these commands replace EXAMPLE.COM with your domain!! :
sudo /etc/letsencrypt/acme.sh --install-cert -d example.com --cert-file /etc/letsencrypt/example.com/cert.pem --key-file /etc/letsencrypt/example.com/private.key --fullchain-file /etc/letsencrypt/example.com/fullchain.pem 
sudo /etc/letsencrypt/acme.sh --install-cert -d example.com --ecc --cert-file /etc/letsencrypt/example.com_ecc/cert.pem --key-file /etc/letsencrypt/example.com_ecc/private.key --fullchain-file /etc/letsencrypt/example.com_ecc/fullchain.pem


Now, enable ssl in apache and restart it
sudo a2enmod ssl
sudo systemctl restart apache2

use nano to make a config file:
sudo nano /etc/apache2/sites-available/example.com.conf

with nano open, copy and paste this (do not use Ctrl+V or you will have a bad time :)
<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off 

    # RSA
    SSLCertificateFile "/etc/letsencrypt/example.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/example.com/private.key"
    # ECC
    SSLCertificateFile "/etc/letsencrypt/example.com_ecc/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/example.com_ecc/private.key"

  </VirtualHost>
SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>

save this and exit (in nano Ctrl+X, Y, Enter ;)

NOTE:The SSL stapling settings solves the problem in Firefox where you get the error:
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
this caused me so much fucking headache.
now you can activate your new config and then check it:
sudo a2ensite example.com.conf
sudo apachectl configtest

Configtest should return Syntax OK!

Now just reload apache:
sudo systemctl reload apache2
And you should be good to go!

Thanks for coming to my ted talk! Return to cybergrunge.net