How To Secure Apache with Let’s Encrypt on Ubuntu

Let’s Encrypt is a Certificate Authority (CA) offers an easy way to get and install free TLS/SSL certificates, enabling the use of encrypted HTTPS. It simplifies the process by including Certbot that aims to automate most or all of the necessary tasks. For the time being, the whole certificate acquisition and installation procedure is totally automated on both Apache and Nginx.

In this guide, you will use Certbot to obtain a free SSL certificate for Apache on Ubuntu/Debian and set up your certificate so that it will automatically renew.

This guide will be using a separate virtual host file for Apache instead of the configuration file that is default. We recommend you create new Apache virtual host files for every domain, since it helps avoid widespread mistakes and maintains the default files as a fallback configuration.

If you want to install Certificate manually, you can check Setup Let’s Encrypt SSL on Ubuntu.

Prerequisites

• One Ubuntu/Debian server set up, as well as a non-root user with a firewall and sudo privileges.
• A domain name that is fully registered. In this guide, we will use your_domain as an example all the way through.
• Both of these DNS records set up for your server. 
  • An A record with your_domain that points to the public ID address of your server.
  • An A record with www.your_domain that points to the public ID address of your server.
• Apache installed. Be sure that you already have a virtual host file set up for your domain. This tutorial will be using /etc/apache2/sites-available/your_domain.conf as an example.

Step 1 – installing Certbot With Snap

Snaps can be used on all major Linux distributions, including Ubuntu, Linux Mint, Debian and Fedora.

Snap comes pre-installed on Ubuntu 16 and later. To confirm that you have the most recent version of snapd, run the following commands from the command line on the system.

$ sudo snap install core; sudo snap refresh core

To install Certbot, use this command on the machine’s command line.

$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 2 — Set Up the SSL Certificate

Certbot should be capable of finding the correct virtual host in your Apache configuration, so it can configure SSL automatically. To be more specific, this happens by looking for a ServerName directive that goes along with the domain for which you request a certificate.

You should already have a VirtualHost block for your domain at /etc/apache2/sites-available/your_domain.conf with the ServerName directive set correctly.

To verify, open your domain’s virtual host file using nano or your preferred text editor:

$ sudo nano /etc/apache2/sites-available/your_domain.conf

Find the already existing ServerName line. It will be similar to this, but with your domain name instead of your_domain :

...
ServerName your_domain;
...

If it doesn’t by now then update the ServerName directive to point to the name of your domain then quit your editor after saving the file, and afterwards go ahead and verify your configuration edits’ syntax:

$ sudo apache2ctl configtest

You will see the output below if there are no syntax errors:

Output:

Syntax OK

If you get an error, reopen the virtual host file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Apache to load the new configuration:

$ sudo systemctl restart apache2

Certbot is now able to find the right VirtualHost block and apply an update on it.

Step 3 — Allow HTTPS Through the Firewall

If your ufw firewall is enabled as recommended by the prerequisites part, you will have to modify the settings to enable HTTPS traffic. Fortunately, ufw comes in a package with a few profiles that help to make simple the process of changing the firewall rules for HTTP and HTTPS traffic when installed on Ubuntu/Debian.

It is possible to visualize the current setting by typing the following command:

$ sudo ufw status

The output of this command should look something like this, showcasing that HTTP traffic alone is allowed into the web server:

Output:

Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
WWW                        ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
WWW (v6)                   ALLOW       Anywhere (v6)

To let in additional HTTPS traffic, enable the “WWW Full” profile and remove the repeated “WWW” profile allowance:

$ sudo ufw allow 'WWW Full'

$ sudo ufw delete allow 'WWW'

Your status should now be similar to this:

$ sudo ufw status

Output:

Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
WWW Full                   ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
WWW Full (v6)              ALLOW       Anywhere (v6)

Step 4 — Obtain an SSL Certificate in Apache

Certbot makes available a wide range of ways to get SSL certificates through plugins. The Apache plugin takes care of redoing the Apache configuration and reloading it whenever it is necessary. To use this plugin, type this command:

$ sudo certbot --apache -d your_domain -d www.your_domain

This allows certbot to run with the --apache plugin, while using -d to be specific about the names whose certificate you’d like to be valid.

If you are running certbot for the first time, you will be asked to enter an email address and agree to the terms of service. You will also be asked if you would like to share your email address with the Electronic Frontier Foundation. a non-profit that advocates for digital rights, and it also happens to be the maker of Certbot. You are free to either enter Y to share your email address or N if you wish not to.

Once this is done, certbot will interact with the Let’s Encrypt server, then run a test to make sure you control the domain whose certificate you are requesting.

If that works out fine, certbot will ask about the way you’d like to configure the settings of your HTTPS:

Output:

Please choose whether to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select the appropriate option for you and hit ENTER. The configuration will then be updated automatically and Apache will be reloaded to integrate the chosen settings.

certbot will conclude with a note telling you that the process was successful and will show you where your certificates have been stored:

Output:

IMPORTANT NOTES:
— Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/your_domain/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/your_domain/privkey.pem
   Your cert will expire on 2019-10-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
— If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your certificates have been downloaded, installed, and loaded. Reload your website with https:// and pay attention to the security indicator of your browser. It should show, usually with a green lock icon, that the site is well secured. If you use the SSL Labs Serevt Test to test your server, it will get an A grade.

Step 5 — Verify the Auto-Renewal of Certbot

The validity of Let’s Encrypt certificates is 90 days only, in order to encourage users to make their certificate renewal process automatic. The certbot package which we installed takes care of this by itself by adding a renewal script to /etc/cron.d. which runs two times a day and automatically renews any certificate that’s within 30 days of expiration.

To run a test on the renewal process, do a dry run using certbot:

$ sudo certbot renew --dry-run

You’re all set if you see no errors. Certbot will make sure to renew your certificates and reload Apache to integrate the updated settings when necessary. In case the automated renewal process fails, Let’s Encrypt will send a message in your email to warn you that your certificate will expire soon.

Conclusion

In this guide, You installed the Let’s Encrypt client certbot. downloaded SSL certificates for your domain, configured Apache to utilize them, and set the certificate to renew automatically in this step. If you still have more questions regarding using Certbot, you can check their documentation, where you will find what you need to know as a start.

Get cheap SSL from all known SSL providers.