Secure Apache with Let’s Encrypt on Ubuntu 18.04

Using Let’s Encrypt you can get a free SSL certificate. Let’s Encrypt is a Certificate Authority (CA) that provides an simple way to obtain, validate, install and renew free TLS/SSL certificates. In this guide, you will learn how to obtain and install free SSL certificate and Secure Apache with Let’s Encrypt on Ubuntu 18.04.

Prerequisites#

• A Ubuntu running system logged in with a non-root user with sudo privileges.
• Apache must installed and configured, as shown in this tutorial.
• Have an Apache virtual host for your domain, as shown in this tutorial.
• Your domain name should pointing to your server IP address.

Install Let’s Encrypt on Ubuntu#

Now a days, Let’s Encrypt SSL certificates are trusted by all major browsers.

Install Certbot Client#

Certbot client package is easy and useful tool for obtain and renew Let’s Encrypt SSL certificates and configure to web servers. The certbot package is available in the default Ubuntu repositories. So first, We will install Certbot client package to Ubuntu server to obtain a Let’s Encrypt SSL certificate.

Update the packages list and install the certbot package by following commands:

sudo apt update
sudo apt install certbot

Once its finished you can confirm your installation by checking certbot version command as below:

certbot --version

Setup To Firewall#

If your system have firewall enabled then your firewall should allow HHTPS traffic to configure SSL certificate. So you need to adjust firewall rule to allow HTTPS traffic. By default, with Ubuntu ufw comes with pre-definded packages with a profiles which are simple to change firewall rules. You can check current ufw rules by typing :

sudo ufw status

It should output as below:

If you can’t see “Apache Full” profile in output then you can allow it by below command :

sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'

Next, we are going to obtaining an SSL Certificate.

Obtain an SSL Certificate#

You can obtain Let’s Encrypt SSL certificates by multiple ways using plugins. Execute the following command to obtain a SSL certificate using certbot client:

sudo certbot --apache -d example.com -d www.example.com

In above command, we requested for both example.com and www.example.com domains. If you are first time installing certificate then it will ask you enter email address and agree terms and conditions. Entered email address will be used for sending email alerts related to SSL renewal and expiration.

After doing so, certbot will communicate with the Let’s Encrypt server and then it will run a challenge to verify that you are the owner of domain for which you’re requesting a certificate.

If validation got passed then it will ask you how you want to configure your HTTPS settings:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

You can select as per your choice and go ahead.Your virtual host will be updated based on your selected option and will reload Apache to take new settings effect.

Finally, your domain is secure with Let’s Encrypt SSL certificate. You can verify by visiting your site with HTTPS protocol.

Auto Renew Let’s Encrypt SSL certificate#

Let’s Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire. You can use certbot auto-renew facility to avoide from SSL expiration. By default, Certbot package creates a cronjob script at /etc/cron.d which runs twice a day and will automatically renew any certificate 30 days before its expiration. You can check renewal process by type :

sudo certbot renew --dry-run

If it will not throw any errors then everything is okay. Now onwards Certbot will take care of your SSL expiration and renew your certificates and reload Apache to pick up the changes automatically.

Conclusion#

You have learned how to install Let’s Encrypt SSL on Ubuntu 18.04 by using Certbot. If you have any queries regarding this please don’t forget to comment below.