Change on 9.8.24
I decided that it was time to stop paying $400-$500 a year on Godaddy Certificates and switch to Let’s Encrypt. It was a big change from 2 year certificates to those that renew every 90 days. Many changes needed to be made in order to get Let’s Encrypt to work.
I spent time fixing the DNS entries on Godaddy.com for each of my domains. I added CAA record for letsencrypt.org similar to the one for godaddy.com. I had to fix issues in the conf file that the apache 2 config test didn’t find.
I had to add a Let’s Encrypt E5 CA Root certificate to the Fortinet 60E. The new certificate require this certificate to pass SSL Labs tests on web sites.
Extract the E5 from the certificate. I installed the fullchain and key from Let’s Encrypt.
Let’s Encrypt doesn’t not provide you with the E5.cer for the CA. The script below will extract your certificate and the CA root as a pem file.
openssl s_client -showcerts -verify 5 -connect wikipedia.org:443 < /dev/null |
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
for cert in *.pem; do
newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
echo "${newname}"; mv "${cert}" "${newname}"
doneMake sure all redirects end in /
<VirtualHost *:80>
ServerName mc.scsiraidguru.com
Redirect permanent / https://mc.scsiraidguru.com/
</VirtualHost>
SSLCACertificateFile has been deprecated in Apache 2.4.8
SSLCertificateChainFile /etc/letsencrypt/live/xxxx/fullchain.pem
SSLCertificateFile /etc/letsencrypt/live/xxxx/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxxx/privkey.pem
Add to protocols
SSLProtocol -all +TLSv1.3 +TLSv1.2
Protocols h2 h2c http/1.1 acme-tls/1