Hello again
I think I have it. Well, I have it, I think everything is fine. This is what I did.
Execute the command:
certbot --text --agree-tos --email laegnur@whatever -d artabro.org,*.artabro.org,codigoartabro.org,*codigoartabro.org --manual --preferred-challenges dns --expand --renew-by-default --manual-public-ip-logging-ok certonly
It asked me to create 4 TXT entries in the DNS. Once done, wait half an hour before continuing. The certbot validated the tickets, and generated the keys.
I went to the Mozilla SSL Configuration Generation and created the recommended configuration for my version of Apache and openSSL and combined it with @Archer 's Apache Configuration Example here .
I added these lines to the configuration of my vhosts:
<VirtualHost *:80>
ServerName artabro.org
ServerAlias www.artabro.org
Redirect / https://artabro.org
</VirtualHost>
<VirtualHost _default_:443>
ServerName artabro.org
ServerAlias www.artabro.org
DocumentRoot "......"
<Directory "........">
.....
</Directory>
SSLEngine on
SSLCertificateFile /...../cert.pem
SSLCertificateKeyFile /...../privkey.pem
SSLCertificateChainFile /...../chain.pem
Header always set Strict-Transport-Security "max-age=15768000"
Header always set X-Frame-Options DENY
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
</VirtualHost>
And these lines to the general configuration of http-ssl.conf:
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Also enable the modules ssl_module, socache_shmcb_module and headers_module of Apache and include the previous configuration in the general configuration file of Apache.
Restart the server, and SSL is working. To check it I went to the site SSL Server Test
And I get an A+, so I guess everything is correct.
Now I understand that the 4 TXT entries of the DNSs can be removed, but in two months, I should rerun the certbot command, and re-add the entries temporarily, is that it?
@JuergenAuer thanks again to point me on correct direction.
@rg305 my domain provider sells its own certificates, so I do not think they give me much support with this. And I do not think it would be right to go and ask for help. Could you give me some example or explain to me the HTTP-01 authentication method?