Apache2 Let's Encrypt

Install Certboot

apt update ; apt install certbot

apt upgrade openssl ; apt upgrade apache2

Generate DH cert

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
The generation may take more than 30 minutes, depending on the system configuration

Create directory

mkdir -p /var/lib/letsencrypt/.well-known ; chgrp www-data /var/lib/letsencrypt ; chmod g+s /var/lib/letsencrypt

Create Let's Encrypt configuration file

nano /etc/apache2/conf-available/letsencrypt.conf

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Create SSL configuration file

nano /etc/apache2/conf-available/ssl-params.conf
CipherSuite Info, Enforcing Strong Encryption

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-PSK-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Enable Apache2 modules

a2enmod ssl ; a2enmod headers ; a2enmod http2

a2enconf letsencrypt ; a2enconf ssl-params

Enable Apache2 configurations

apache2ctl configtest;

systemctl reload apache2

Enable cron task for Certbot

nano /etc/cron.d/certbot

0 */12 * * * root certbot renew --post-hook "service apache2 restart"