Introduction
Let’s Encrypt is a certificate authority (CA) that provides a way to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on web servers. It streamlines the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated in both Apache and Nginx.
In this tutorial, you will use Certbot to get a free SSL certificate for Apache on Ubuntu 18.04 and verify that your certificate is set to auto-renew.
This tutorial uses a separate Apache virtual host file instead of the default configuration file to configure the website that will be protected by Let’s Encrypt. We recommend creating new Apache virtual host files for each domain hosted on a server, as it helps avoid common mistakes and keeps the default files as a fallback configuration.
Prerequisites
To complete this tutorial,
you will need:
An Ubuntu 18.04 server
-
configured following this initial server setup tutorial for Ubuntu 18.04, which includes a non-root sudo user and a firewall.
-
A fully registered domain name. This tutorial will use your_domain as an example throughout. You can buy a domain name on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.
-
The following two DNS records configured for the server. You can follow this introduction to DigitalOcean DNS for details on how to add them.
An A record with your_domain pointing to the server’s public IP address.
- An A record with www.your_domain pointing to the server’s public IP address.
-
installed following How to Install Apache on Ubuntu 18.04. Make sure that you have a virtual host file for your domain. This tutorial will use /etc/apache2/sites-available/your_domain.conf as an example.
Apache
Step 1 — Installing
Certbot
To get an SSL certificate with Let’s Encrypt, you need to install the Certbot software on your server. For this tutorial, we will use Ubuntu’s default package repositories to install Certbot.
Run the following command, which will install two packages: certbot and python3-certbot-apache. The latter is a plugin that integrates Certbot with Apache, so that it is possible to automate obtaining a certificate and configuring HTTPS within your web server with a single command:
- sudo apt install certbot python3-certbot-apache
Confirm the installation by pressing Y and then ENTER to accept
.
Certbot is now installed on your server. Next, you’ll check your Apache configuration to make sure your virtual host is configured correctly. This ensures that the certbot client script will be able to discover your domains and reconfigure your web server to use your newly generated SSL certificate automatically.
Step 2 — Verify Apache Virtual Host Configuration
To automatically obtain and configure SSL for your web server, Certbot must be able to locate the correct virtual host in your Apache configuration files. Your server domain names will be retrieved from the ServerName and ServerAlias directives defined in your VirtualHost configuration block.
If you followed the virtual host configuration step in the Apache installation tutorial, you should have a VirtualHost block for your domain in /etc/apache2/sites-available/your_domain.conf with the ServerName directive already set correctly.
To check, open your domain’s virtual host file using nano or your favorite text editor
:
- sudo nano /etc/apache2/sites-available/your_domain.conf
Find the existing ServerName and ServerAlias lines:
… ServerName your_domain; SeverAlias www.your_domain …
If ServerName and ServerAlias are already configured, you can exit the text editor and proceed to the next step. If you are using nano, you can do so by pressing CTRL+X, then Y and ENTER.
If the current virtual host configuration does not match, update it accordingly. Then save and exit the text editor. Next, validate the changes:
- sudo apache2ctl configtest
If there is no error with the syntax of the virtual host file, you will receive a Syntax OK response. If you receive an error, reopen the virtual host file and check for typos or missing characters. Once the configuration file syntax is correct, reload Apache to load the new configuration:
- sudo systemctl reload apache2
With these changes in effect, Certbot will be able to find the correct VirtualHost block and update it
.
Next, you’ll update your firewall to allow HTTPS traffic.
Step 3 — Allow HTTPS through
the firewall
If you have the UFW firewall enabled, as recommended by the prerequisite guides, you will need to adjust the settings to allow HTTPS traffic. Apache registers some UFW application profiles and can leverage the full Apache profile to allow HTTP and HTTPS traffic on your server.
Check the type of traffic currently allowed on the
server by running the
following:
- UFW sudo
status
If you followed one of our Apache installation guides, your output will generate the following, this means that only HTTP traffic is allowed on port 80
: OutputStatus: active For action From – – – OpenSSH ALLOW Anywhere Apache ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache (v6) ALLOW Anywhere (v6
) To additionally allow HTTPS traffic
, allow the full Apache profile: sudo ufw allow ‘Apache Full’
Then, delete the redundant Apache profile mapping
: sudo ufw
- delete allow ‘Apache’
Check the status
again
:
- sudo status ufw
You should receive the following output
: OutputStatus: active For action From – – – OpenSSH ALLOW Anywhere Apache Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6)
- Apache Full
(v6) ALLOW Anywhere (v6)
You are now ready to run Certbot and get your certificates
.
Step 4 — Obtaining a certificate
SSL
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the configuration when necessary. To use this plugin, run the following:
- sudo certbot -apache
This command will generate a message with a series of questions to configure your SSL certificate. First, you will be asked to provide a
valid email address, this is for purposes of renewal notifications and security notices: OutputSaving the debug log to /var/log/letsencrypt/letsencrypt.log Selected plugins: Authenticator apache, Installer apache Enter the email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel): you@your_domain
After you provide a valid e-mail address, press ENTER, and then proceed to the next step. You will be asked to confirm whether you agree to Let’s Encrypt’s terms of service. Confirm by pressing A and ENTER:
ExitRead the Terms of Service in https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree to register on the ACME server at https://acme-v02.api.letsencrypt.org/directory – – (A)gree/(C)ancel: You
will then be asked if you would like to share your email with the Electronic Frontier Foundation to receive news and other information. If you don’t want to subscribe, press N, otherwise, press Y and then ENTER to proceed to the next step:
ExitWould you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let’s Encrypt project, and the nonprofit that develops Certbot? We’d like to email you about our web encryption work, EFF news, campaigns, and ways to support digital freedom. – – (Y)es/(N)o: N
The message will inform Certbot about the domains for which you want to enable HTTPS. The list of domain names is automatically taken from the Apache virtual host configuration. This is why it was important to confirm that you have the correct ServerName and ServerAlias settings configured on the virtual host. If you want to enable HTTPS for all domain names listed (recommended), leave the message blank and press ENTER to continue. Otherwise, select the domains for which you want to enable HTTPS by listing each appropriate number, separated by commas and/or spaces, then press ENTER: OutputWhat names do you want to turn on HTTPS for
? – – your_domain your_domain- OutputObtaining a new certificate Performing the following challenges: http-01 challenge for your_domain http-01
challenge for your_domain Apache rewrite module enabled Waiting for verification… Challenge cleanup Created an SSL vhost in /etc/apache2/sites-available/your_domain-le-ssl.conf Apache module socache_shmcb enabled Apache SSL module enabled Certificate implementation in VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf Available site enablement: /etc/apache2/sites-available/your_domain-le-ssl.conf Certificate implementation in VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf
You will then be prompted to select whether or not you want HTTP traffic to be directed to HTTPS. This means that when someone visits your website through unencrypted channels (HTTP), they will be automatically redirected to the HTTPS address of your websites. Choose 2 to enable redirection, or 1 if you want to keep HTTP and HTTPS as separate methods to access your website: OutSalidaChoose whether or not you want to redirect HTTP traffic to HTTPS, removing HTTP access
. – 1: No redirection – Do not make any further changes to the web server settings. 2: Redirection: Have all requests redirected to secure HTTPS access. Choose this for new sites, or if you’re sure your site works on HTTPS. You can undo this change by editing the web server settings. – Select the appropriate number [1-2] and then [enter] (press ‘c’ to cancel): 2
After entering your answer, the Certbot setup will finish. You will receive final feedback on your new certificate, where to locate the generated files, and how to test your configuration using an external tool to analyze the authenticity of your certificate:
OutputCongratulations! You have successfully enabled https://your_domain and your_domain You must test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=your_domain https://www.ssllabs.com/ssltest/analyze.html?d=your_domain – – – Your certificate and chain have been saved in: /etc/letsencrypt/live/your_domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your_domain/privkey.pem Your certificate will expire on 2022-03-07. To get a new or modified version of this certificate in the future, simply run certbot again with the “certonly” option. To renew *all* your certificates non-interactively, run “certbot renew” – If you like Certbot, please consider supporting our work by: Donating to ISRG/Let’s Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Your certificates are downloaded, installed, and uploaded to the Apache configuration. Try reloading your website using https:// and look at your browser’s safety indicator. It should indicate that the site is properly secured, usually with a lock icon in the address bar.
You can use SSL Labs Server Test to verify the qualification of your certificate and get detailed information about it, from the perspective of an external service.
In the next step, you’ll test Certbot’s auto-renewal feature, which ensures that your certificate will automatically renew before the expiration date.
Step 5 — Verifying Certbot Auto-Renewal
Let’s Encrypt certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process and ensure that misused certificates or stolen keys expire sooner rather than later.
The certbot package you
installed takes care of renewals by including a renewal script in /etc/cron.d, which is managed by a systemctl service called certbot.timer. This script runs twice a day and will automatically renew any certificates that are within thirty days of expiration.
Check the status
of this service and make sure it is up and running
:
- sudo systemctl status
certbot.timer
You receive output similar to the following
: Output● certbot.timer – Run certbot twice a day Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: in Active: active (standby) since Tue 2021-12-07 20:04:42 UTC; 1h 45min ago Trigger: Wed 2021-12-08 11:22:45 UTC; 13h left Dec 07 20:04:42 encrypt systemd[1]: Started Run certbot twice a day.
Test the renewal process by doing a
dry run with certbot:
- sudo certbot renew -dry-run
If you don’t receive errors, you’re all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the auto-renewal process fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.
Conclusion
In this tutorial, you installed the Let’s Encrypt client certbot, configured and installed SSL certificates for your domain, and confirmed that the Certbot Certificate Auto-Renewal Service is active within systemctl. If you have more questions about using Certbot, its documentation is a good place to start.