Aloha lads,
I’m tried to installed a SSL-certificate via certbot and just let him do his thing BUT although I get the message with something like: congrats… successfully install… expires on the DATE
but now if I try go to my website it still is http. I read that certbot maybe did not update/add the paths for apache2 but I don’t know how to do that.
Debian 8 Jessie
Apache2
used certbot automated
I’m sorry if you lack some information to help I’ll add if you tell me what you need :>
if you change the URL from http to https, is the site also there?
without https it’s working just fine: http://anttology.com/
Could it be that I have to add something to sites-available to make it work?
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
ServerName www.example.com
SSLEngine on
SSLCertificateFile "/path/to/www.example.com.cert"
SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>
^something like this?^
Seems like the site is available now but it uses my selfsigned certificate instead of the one certbot made. How can I change this?
Also! How can I make the http version unavailable for public? so if people only enter anttology.com manually that they get to https instantly without having to type it themselves? Now if you go for anttology.com you get to the http version which now is “empty”
You need to find the conf file that serves the secure site (:443)
There you can modify which cert file is used.
That can be done with a redirection statement.
You need to find the conf file that serves the regular site (:80)
There you can insert a redirect statement like this:
Redirect "/" "https://www.example.com/"
or for more than just redirection to the main https start page:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}
or maybe this could also do the trick:
SSLOptions +StrictRequire
SSLRequireSSL
I actually edited the 80 file to 443 and did not make a new one. Can I put both the redirect 80 > 443 and the 443 both in the same conf?
Where does certbot save the files by default?
Okay I managed to do it like this:
<VirtualHost *:443>
ServerAdmin web@master.lol
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/website/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
</VirtualHost>
<VirtualHost *:80>
ServerName example.com
Redirect / https://example.com/
</VirtualHost>
Now I only have to know where certbot saves the files so I can set them as path. I assume I have to set the path in this exact document:
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
I can’t manage to find where those files are stored 
That’s the output of the comment “find /-name *.key”
try
find / -name *.pem
That’s only the stuff with letsencrypt in the path 
/etc/letsencrypt/live/anttology.com/privkey.pem = private key file
/etc/letsencrypt/live/anttology.com/fullchain.pem = public cert with intermediates
They should be symbolic links that auto-update to the latest file whenever it renews.
yee website be saying ney no longer!
Updated it to:
but after restarting apache2 it still says ney 
<VirtualHost *:443>
ServerAdmin myemail
ServerName anttology.com
ServerAlias www.anttology.com
DocumentRoot /var/www/belph.de/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/anttology.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/anttology.com/privkey.pem
Alias /phpmyadmin "/usr/share/phpmyadmin/"
<Directory "/usr/share/phpmyadmin/">
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName anttology.com
Redirect / https://anttology.com/
</VirtualHost>
That’s the complete file
BTW should I edit the phpmyadmin thing? If I read “allow from all” I get a bad feeling
I did not change anything! I assume it used old cache I think I did not ctrl-F5 
I thank you so much for helping me! People like you are awesome
OK
That problem seems to be from the server lack of cipher preference ordering:
https://www.ssllabs.com/ssltest/analyze.html?d=anttology.com&hideResults=on
(shows A- now, but you can get A+ easily)
try adding this to the :443 part:
SSLCipherSuite ECDH:DH:!ADH:!aNULL:!AESCCM:!DSS:!eNULL:!SEED:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
It’s a very basic starting point.
You can read up on that and later decide for yourself which ciphers you would like to serve and in which order.
SSLOpenSSLConfCmd DHParameters
If using DHE ciphers.
And
SSLOpenSSLConfCmd Curves
as well.
openssl ciphers
will show all ciphers available on that version of openssl
openssl ciphers ECDH:DH:!ADH:!aNULL:!AESCCM:!DSS:!eNULL:!SEED:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
will show the ciphers available with those restrictions.
Have fun!
I don’t get the Cipher thing tbh “AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA” Does chain different encrypt methods?
Okay added it. How can I view my A status?
Your site is already doing this (which includes those four ciphers):
TLS 1.2 (server has no preference)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 2048 bits FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 2048 bits FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256