How to Setup Let’s Encrypt with Apache on Ubuntu Linux

This article provides a guide on setting up free Let’s Encrypt SSL certificates on an Ubuntu server running Apache. It details the installation of Certbot, the process to generate and configure SSL certificates, and how to automate their renewal. This ensures secure HTTPS communication for websites without incurring costs.

This article explains how to set up Let’s Encrypt free SSL certificates on Ubuntu Linux with Apache HTTP web server. Let’s Encrypt is a free, automated, open certificate authority created by the nonprofit Internet Security Research Group (ISRG).

Instead of purchasing an SSL certificate for your website and other applications, one can use Let’s Encrypt free SSL certificates to secure their web portals and applications. Let’s Encrypt SSL certificates, which are valid for 90 days. However, you can create an automated process to automatically renew before expiring.

If you’re operating a website or need to secure your application with HTTPS, then Let’s Encrypt certificates are outstanding. You can save yourself pretty pennies using it.

For this post, we will use the Let’s Encrypt free SSL certificate to secure a website powered by Apache. Your Apache website will be able to communicate over HTTPS.

To use Let’s Encrypt on Ubuntu Linux to secure Apache, follow the steps below.

How to install Certbot on Ubuntu Linux

Certbot is a command line tool that automates acquiring and renewing Let’s Encrypt SSL certificates. There are other tools to perform the same tasks, but Certbot is efficient and easy to use.

To install Certbot on Ubuntu, run the commands below.

sudo apt update
sudo apt install certbot

How to generate Let’s Encrypt certificates for Ubuntu Linux

Now that Certbot is installed, you can generate Let’s Encrypt SSL certificates on Ubuntu Linux.

We will use the Webroot plugin to automate the certificate generation and renewal. This plugin uses the /well-known/acme-challenge directory at the web server root to validate that the Certbot server resolves the requested domain.

We will create a challenge/response Alias to allow Let’s Encrypt to validate the server for which the certificates were generated. To do that, run the commands below.

To do that, run the commands below to create a configuration file called well-known.conf in the /etc/apache2/conf-available directory. This directory contains all configurations you want to use with the Apache web server. All config files are automatically included in Apache’s main configuration file.

sudo nano /etc/apache2/conf-available/well-known.conf

Then copy and paste the content below into the file and save it.

Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"

<Directory "/var/www/html/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

The configuration file above allows Let’s Encrypt to validate the web server using the Webroot plugin.

Before SSL and HTTPS, a typical Apache VirtualHost file should look like the one below.

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin admin@example.com
  DocumentRoot /var/www/example.com
    
  <Directory /var/www/example.com/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>

       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
    
</VirtualHost>

How to generate Dh (Diffie-Hellman) Group

Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys. In most SSL configurations, you’ll want to generate a strong Diffie-Hellman key group.

Run the commands below to generate a key in the /etc/ssl/cert directory on Ubuntu Linux.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

How to obtain Let’s Encrypt certificates on Ubuntu Linux

At this point, you should be ready to obtain a free certificate from Let’s Encrypt. Before you generate your free certificates, run the commands below to enable these Apache modules for SSL, Headers, and HTTP version 2.

sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod http2

Also, enable the configuration files we created in the conf-available directory.

sudo a2enconf well-known.conf

Once complete, reload Apache by running the commands below.

sudo systemctl reload apache2

Now you’re ready to generate Let’s Encrypt SSL certificates. Run the commands below, replacing example.com with your domain to generate Let’s Encrypt SSL certificates.

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/www/html -d example.com -d www.example.com

A successful certificate generation message will look similar to the one below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2021-09-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You can now use the certificate and key in your Apache VirtualHost configurations.

Your new configuration, after adding recommended SSL settings, should look similar to the one below:

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com

  Protocols h2 http:/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>
  
  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
  
  SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLCompression off
  SSLUseStapling on

  Header always set Strict-Transport-Security "max-age=63072000"

  <Directory /var/www/example.com/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>
 
</VirtualHost>

Make changes to the configurations above to suit your environment. However, the settings above should work in most Apache environments.

How to auto-renew Let’s Encrypt certificates

Once the certificate is generated, you can set up a process to renew the certificates automatically. By default, it expires in 90 days. Setting up a process so you don’t have to remember to renew is the best option.

The certbot package creates a cronjob and a system timer to renew the certificates automatically before expiration. The timer will automatically renew the certificates 30 days before their expiration.

The crontab file is created at the location below.

cat /etc/cron.d/certbot

If you make changes to the file, you should save and exit.

You can now use the certificate and key files above to enable HTTPS in your Apache configurations.

Conclusion:

  • Let’s Encrypt provides a free and automated way to secure your website with SSL certificates.
  • Setting up Let’s Encrypt on Ubuntu with Apache is straightforward and can be completed by following the above steps.
  • Regularly renewing your SSL certificate is crucial, and Certbot automates this process.
  • Implementing SSL not only enhances security but also improves the credibility of your website.
  • Let’s Encrypt saves you on costs typically associated with purchasing SSL certificates while ensuring your site is secure.

Comments

  1. There is a mistake in the above configuration of the virtualhost.

    SSLUseStapling on

    should not be inside a virtualhost but depending on the distribution in conf/extra/httpd-ssl.conf for normal open source builds of httpd, /etc/apache2/mods-enabled/ssl.conf for the Ubuntu or Debian-bundled httpd, etc.
    source: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#ocspstapling

    Also the above page includes that only SSLUseStapling on doesn’t work. you need to add :

    SSLStaplingCache “shmcb:{LOCATION}/ssl_stapling(32768)”

    and the location {LOCATION} should be…

    “…The path on the SSLStaplingCache directive (e.g., {lOCATION}) should match the one on the SSLSessionCache directive. This path is relative to ServerRoot.”

  2. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  3. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  4. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  5. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  6. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  7. […] How to set up Let’sLet’sypt SSL certificate for Apache on Ubuntu Linux […]

  8. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  9. […] to install BoxBilling on Ubuntu Linux with Apache HTTP web server. It also has a link to set up free Let’s Encrypt SSL certificates to secure your billing […]

  10. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  11. […] How to set up Let’s Encrypt with Apache on Ubuntu Linux […]

  12. […] How to set up Let’s Encrypt SSL certificate with Apache on Ubuntu […]

  13. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  14. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  15. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  16. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  17. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  18. […] How to set up Let’s Encrypt SSL certificate for Apache on Ubuntu Linux […]

  19. […] server. Username and password are sent with plain text on Basic Authentication, so you want to set up SSL/TLS before transmitting […]

  20. […] Use this post to set up an SSL connection with Apache. […]

Leave a Reply

Your email address will not be published. Required fields are marked *