Secure Apache with Let’s Encrypt on Ubuntu 20.04

Let’s Encrypt is a Certificate Authority that provides free TLS/SSL certificates. It facilitate fully automated process of obtaining and installing a certificate on both Apache and Nginx. This tutorial explains how to install free Let’s Encrypt SSL certificate and secure Apache web server on Ubuntu 20.04.

In this tutorial, we’ll use Certbot to obtain a free SSL certificate for Apache on Ubuntu 20.04. Certificates issued by Let’s Encrypt are valid for 90 days from the issue date.

Prerequisites#

• A Ubuntu running system logged in with a non-root user with sudo privileges.
• Apache must installed and configured, as shown in this tutorial.
• Have an Apache virtual host for your domain, as shown in this tutorial.
• Your domain name should pointing to your server IP address.

Installing Let’s Encrypt on Ubuntu#

Now a days, Let’s Encrypt SSL certificates are trusted by all major browsers.

Installing Certbot#

Certbot client package is easy and useful tool for obtain and renew Let’s Encrypt SSL certificates and configure to web servers. The certbot package is available in the default Ubuntu repositories. We will install Certbot client package to Ubuntu server to obtain a Let’s Encrypt SSL certificate.

Update the packages list and install the certbot package by following commands:

sudo apt update

sudo apt install certbot python3-certbot-apache

Once its finished you can confirm your installation by checking certbot version command as below:

certbot --version

Adjusting Firewall#

If your system have UFW firewall enabled then you should allow HTTPS traffic to configure SSL certificate. By default, Ubuntu includes UFW pre-installed and it’s simple to change firewall rules using UFW. You can check current UFW rules by typing :

sudo ufw status

It should show output as below:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Apache                     ALLOW       Anywhere             
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Apache (v6)                ALLOW       Anywhere (v6)

If you can’t see Apache Full profile in output then you can allow it by below command :

sudo ufw allow 'Apache Full'

sudo ufw delete allow 'Apache'

Now we are ready to obtain an SSL Certificate.

Obtaining Let’s Encrypt SSL certificate#

You can obtain Let’s Encrypt SSL certificates by multiple ways using plugins. Execute the following command to obtain a SSL certificate using certbot client:

sudo certbot --apache -d example.com -d www.example.com

In above command, we requested for both example.com and www.example.com domains. If you are first time installing certificate then it will ask you enter email address and agree terms and conditions.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Entered email address will be used for sending email alerts related to SSL renewal and expiration.

After doing so, certbot will communicate with the Let’s Encrypt server and then run a challenge to verify that you are the owner of domain for which you’re requesting a certificate.

If validation got passed, it will ask you how you would like to configure your HTTPS settings:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select as per your choice and go ahead. Your virtual host will be updated based on your selected option and it will reload Apache to take new settings in effect.

After this step, Certbot configuration is finished and you will be presented with Congratulations message as following:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://your_domain and
https://www.your_domain

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=your_domain
https://www.ssllabs.com/ssltest/analyze.html?d=www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Finally, your domain is secure with Let’s Encrypt SSL certificate. You can verify by visiting your site with HTTPS protocol.

Auto Renew Let’s Encrypt SSL certificate#

Let’s Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire. You can use certbot auto-renew facility to avoid from SSL expiration. By default, Certbot package creates a cronjob script at /etc/cron.d which runs twice in a day and will automatically renew any certificate 30 days before its expiration. You can check renewal process by type :

sudo certbot renew --dry-run

If it will not show any errors means your installation is successful. Now on wards Certbot will take care of your SSL expiration and renew your certificates automatically and reload Apache to pick up the changes automatically.

Conclusion#

This tutorial explained how to secure Apache Web Server with Let’s Encrypt SSL on Ubuntu 20.04 using Certbot.

If you have any questions or feedback, please leave a comment below.