
Let’s Encrypt is a Certificate Authority that provides free TLS/SSL certificates. It facilitate fully automated process of obtaining and installing a certificate on both Apache and Nginx. This tutorial explains how to install free Let’s Encrypt SSL certificate and secure Apache web server on Ubuntu 20.04.
In this tutorial, we’ll use Certbot to obtain a free SSL certificate for Apache on Ubuntu 20.04. Certificates issued by Let’s Encrypt are valid for 90 days from the issue date.
Prerequisites
- A Ubuntu running system logged in with a non-root user with sudo privileges.
- Apache must installed and configured, as shown in this tutorial.
- Have an Apache virtual host for your domain, as shown in this tutorial.
- Your domain name should pointing to your server IP address.
Installing Let’s Encrypt on Ubuntu
Now a days, Let’s Encrypt SSL certificates are trusted by all major browsers.
Installing Certbot
Certbot client package is easy and useful tool for obtain and renew Let’s Encrypt SSL certificates and configure to web servers. The certbot package is available in the default Ubuntu repositories. We will install Certbot
client package to Ubuntu server to obtain a Let’s Encrypt SSL certificate.
Update the packages list and install the certbot
package by following commands:
sudo apt update
sudo apt install certbot python3-certbot-apache
Once its finished you can confirm your installation by checking certbot
version command as below:
certbot --version
Adjusting Firewall
If your system have UFW firewall enabled then you should allow HTTPS traffic to configure SSL certificate. By default, Ubuntu includes UFW pre-installed and it’s simple to change firewall rules using UFW. You can check current UFW rules by typing :
sudo ufw status
It should show output as below:
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache (v6) ALLOW Anywhere (v6)
If you can’t see Apache Full
profile in output then you can allow it by below command :
sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'
Now we are ready to obtain an SSL Certificate.
Obtaining Let’s Encrypt SSL certificate
You can obtain Let’s Encrypt SSL certificates by multiple ways using plugins. Execute the following command to obtain a SSL certificate using certbot
client:
sudo certbot --apache -d example.com -d www.example.com
In above command, we requested for both example.com
and www.example.com
domains. If you are first time installing certificate then it will ask you enter email address and agree terms and conditions.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):
Entered email address will be used for sending email alerts related to SSL renewal and expiration.
After doing so, certbot
will communicate with the Let’s Encrypt server and then run a challenge to verify that you are the owner of domain for which you’re requesting a certificate.
If validation got passed, it will ask you how you would like to configure your HTTPS settings:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select as per your choice and go ahead. Your virtual host will be updated based on your selected option and it will reload Apache to take new settings in effect.
After this step, Certbot configuration is finished and you will be presented with Congratulations
message as following:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://your_domain and
https://www.your_domain
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=your_domain
https://www.ssllabs.com/ssltest/analyze.html?d=www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Finally, your domain is secure with Let’s Encrypt SSL certificate. You can verify by visiting your site with HTTPS protocol.
Auto Renew Let’s Encrypt SSL certificate
Let’s Encrypt SSL certificates have short-life period of 90
days so you need to renew it before it expire. You can use certbot auto-renew facility to avoid from SSL expiration. By default, Certbot package creates a cronjob
script at /etc/cron.d
which runs twice in a day and will automatically renew any certificate 30
days before its expiration. You can check renewal process by type :
sudo certbot renew --dry-run
If it will not show any errors means your installation is successful. Now on wards Certbot will take care of your SSL expiration and renew your certificates automatically and reload Apache to pick up the changes automatically.
Conclusion
This tutorial explained how to secure Apache Web Server with Let’s Encrypt SSL on Ubuntu 20.04 using Certbot.
If you have any questions or feedback, please leave a comment below.
Leave a Reply