This post shows students and new users how to setup Let’s Encrypt free SSL certificates on Ubuntu Linux with Apache HTTP webserver. Let’s Encrypt is a free, automated, and open certificate authority created by the nonprofit Internet Security Research Group (ISRG).
Instead of purchasing a SSL certificate for your website and other applications, one can use Let’s encrypt free SSL certificates to secure their web portals and applications. Let’s Encrypt SSL certificates are valid for 90 days. However, you can create an automated process to automatically renew before expiring.
If you’re going to be operating a website or need to secure your application with HTTPS, then Let’s Encrypt certificates are great. You can save yourself pretty pennies using it.
For this post, we’re going to be using Let’s Encrypt free SSL certificate to secure a website powered by Apache. You Apache website will be able to communicate over HTTPS.
To get started with using Let’s Encrypt on Ubuntu Linux to secure Apache, follow the steps below.
How to install Certbot on Ubuntu Linux
Certbot is a command line tool that automates the tasks of acquiring and renewing Let’s Encrypt SSL certificates. There are other tools to perform the same tasks, but Certbot is efficient and easy to use.
To install Certbot on Ubuntu, run the commands below.
sudo apt update sudo apt install certbot
How to generate Let’s Encrypt certificates for Ubuntu Linux
Now that Certbot is installed, you can begin generating Let’s Encrypt SSL certificates on Ubuntu Linux.
To automate the certificate generation and renewal, we’re going to use the Webroot plugin. This plugin uses /.well-known/acme-challenge directory at the web server root to validate that the requested domain resolves to the server running Certbot.
We’re going to create a challenge/response Alias to allow Let’s Encrypt to validate the server for which the certificates were generated. To do that, run the commands below.
To do that, run the commands below to create a configuration file called well-known.conf in the /etc/apache2/conf-available directory. This directory contains all configurations you want to use with Apache web server. All config files are automatically included in Apache’s main configuration file.
sudo nano /etc/apache2/conf-available/well-known.conf
Then copy and paste the content below into the file and save.
Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"
<Directory "/var/www/html/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>The configuration file above allows Let’s Encrypt to validate the web server using the Webroot plugin.
Before SSL and HTTPS, a typical Apache VirtualHost file should look like the one below.
<VirtualHost *:80> ServerName example.com ServerAlias www.example.com ServerAdmin [email protected] DocumentRoot /var/www/example.com <Directory /var/www/example.com/> Options FollowSymlinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
How to generate Dh (Diffie-Hellman) group
Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys securely. In most SSL configuration, you’ll want to generate a strong Diffie-Hellman key group.
Run the commands below to generate a key in the /etc/ssl/cert directory on Ubuntu Linux.
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
How to obtain Let’s Encrypt certificates on Ubuntu Linux
At this point, you should be ready to obtain a free certificate from Let’s Encrypt. Before you generate your free certificates, run the commands below to enable these Apache modules for SSL, Headers and HTTP version 2.
sudo a2enmod ssl sudo a2enmod headers sudo a2enmod http2
Also enable the configuration files we created in the conf-available directory.
sudo a2enconf well-known.conf
Once complete, reload Apache by running the commands below.
sudo systemctl reload apache2
Now you’re ready to generate Let’s Encrypt SSL certificates. Run the commands below, replacing the example.com with your own domain to generate Let’s Encrypt SSL certificates.
sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/www/html -d example.com -d www.example.com
A successful certificate generation message will look similar to the one below:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2021-09-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: Donating to EFF:
You can now use the certificate and key in your Apache VirtualHost configurations.
Your new configuration after adding recommended SSL settings should look similar to the one below:
<VirtualHost *:80> ServerName example.com ServerAlias www.example.com Redirect permanent / </VirtualHost> <VirtualHost *:443> ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/example.com Protocols h2 http:/1.1 <If "%{HTTP_HOST} == 'www.example.com'"> Redirect permanent / </If> ErrorLog ${APACHE_LOG_DIR}/example.com-error.log CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined SSLEngine On SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCompression off SSLUseStapling on Header always set Strict-Transport-Security "max-age=63072000" <Directory /var/www/example.com/> Options FollowSymlinks AllowOverride All Require all granted </Directory> </VirtualHost>
Make changes to the configurations above to suit your environment. However, settings above should work in most Apache environments.
How to auto renew Let’s Encrypt certificates
Now that the certificate is generated, you can setup a process to automatically renew the certificates. By default, it expires in 90 days. Setting up a process so you don’t have to remember to do renew is the best options.
To automatically renew the certificates before they expire, the certbot package creates a cronjob and a systemd timer. The timer will automatically renew the certificates 30 days before its expiration.
The crontab file is created at the location below.
cat /etc/cron.d/certbot
If you make changes to the file, you should save and exit.
You can now use the certificate and key files referenced above in your Apache configurations to enable HTTPS.
Conclusion:
This post showed you how to use Let’s Encrypt free SSL certificate to secure Apache HTTP Server. If you find any error above or have any thing to add, please use the comment form below to do so.
