Secure Apache Server with Let’s Encrypt on Ubuntu
By Adarsh Sojitra on July 24th, 2019
Let’s Encrypt is an authority that provides SSL certificates for free to anyone. You just have to verify the domain name ownership and you can issue SSL certificates for that domain name forever. In this short article, I will show you how to use Let’s Encrypt to secure your Apache Server.
Here, The term “Secure” means securing our domain names with SSL certificates that we will issue from Let’s Encrypt authority. The security these SSL certificates provide is really good as hundreds of thousands of websites are dependent on Let’s Encrypt for SSL certificates.
As a prerequisite to follow this guide, Make sure that you have Apache server properly configured on your server. Do not worry if you have multiple virtual hosts on your server because Certbot handles virtual hosts well.
If you haven’t installed and configured Apache server yet, Follow this guide. Once done, continue following this article.
Install Apache Let’s Encrypt on Ubuntu
It is very easy to install Let’s Encrypt’s Certbot on Ubuntu to secure our Apache server. We just have to execute a couple of commands on our server via SSH. Make sure you have root access to the server. If you do not have root access, you must have sudo privileges because we have to install some packages and add repositories.
Execute a bunch of commands given below to install Certbot for Apache web server on your Ubuntu machine.
$ sudo apt-get install software-properties-common $ sudo add-apt-repository universe $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot python-certbot-apache
It will take a minute or two to install Certbot with apache plugin on the server. Once done, we can start issuing SSL certificates for applications hosted on our server.
As the Certbot is installed, Let’s learn how to issue the SSL certificate for an example application hosted on our server with the domain name
Issue and Configure SSL Certificate
Whenever you want to install an already issued SSL certificate on your server, you have to update your Virtual host files and include the SSL certificate file path to let Apache know that we have SSL certificate for this specific website.
However, If you don’t know how to deal with Virtual host files, you can let Certbot handle it for you. So, In this section of the article, we will see how can we issue and configure the SSL certificate with a single command.
Make sure that the DNS of your domain names is correct and the domain name(s) are pointing the right server. We have to make sure that the DNS of the domain names is correct because if the DNS is correct, we can verify the domain name. If we cannot verify the ownership of the domain name, Let’s encrypt will not provide us the SSL certificate to use on our domain name.
So, Make sure that you can open your website hosted on the server on which you are working right now using your domain name. Once you are sure about it, Execute the following command.
$ sudo certbot --apache -d example.com
Do not forget to replace the domain name with the actual domain name. Note that this command is non-interactive. It will ask you some questions to help you set up the SSL certificate.
The first thing it will ask you is your E-mail address. Enter the correct E-mail address because they will reach you to your E-mail address just in case some SSL certificate is about to expire.
The second thing they will ask you is your agreement with Let’s Encrypt’s Terms of service. The process will move further only if you agree with the terms. Then it will ask you if you would like to share your E-mail address with the founding partner of Let’s encrypt, It’s up to you whether you want to share your E-mail address or not.
After asking you these questions, It will start issuing an SSL certificate for your domain name(s). Finally, It will ask you if you want to redirect all the traffic from HTTP to HTTPS. Say Yes and it will update your Virtual Host file accordingly.
Issue SSL Certificate Only
If you are a technical person who can deal with virtual hosts, you might like this option. There is an option available in Certbot that you can use to just issue an SSL certificate for your domain names. Once the SSL certificate is issued, you can update your virtual host files manually.
To issue SSL certificate without letting Certbot touch your virtual host files, execute the command with
certonly option. Just like the following example.
$ sudo certbot certonly --apache -d example.com
Notice the extra
certonly argument that we passed along with the Certbot command. Now, what if you want to issue an SSL certificate for multiple domain names?
Issue SSL certificate for multiple domains
If you want a single SSL certificate for a group of domain names, you can pass multiple domain names with
-d option separated by a comma, Just like the following example.
$ sudo certbot --apache -d example.com,www.example.com
Or, you can also pass multiple domain names with multiple
-d option, Just like this.
$ sudo certbot --apache -d example.com -d www.example.com
So, these are the two ways to issue a single SSL certificate for multiple domain names. You can add up to 100 domain/subdomain names in a single SSL certificate. Now, Let’s learn how to renew these SSL certificates.
Renewing SSL Certificates
The SSL certificates issued by Let’s Encrypt have a short expiry. The SSL certificate issued from Let’s encrypt authority has 90 days of validity. After 90 days, we have to renew our SSL certificates to keep our websites running on HTTPS.
However, It is very easy to renew SSL certificates with Let’s Encrypt’s Certbot. Just execute the following command and the Certbot will renew all the certificates that exist on your server.
$ sudo certbot renew
But, you don’t have to log in to your server to run this command whenever the SSL certificates are about to expire. It is because Certbot will automatically run this command twice a day starting from the day you install Certbot on your server.
It means that if you are using Certbot to issue and manage SSL certificates provided by Let’s Encrypt, your certificates will be renewed automatically.
To make sure that your SSL certificates will renew successfully, you can simulate the process to renew the SSL certificate. Execute the same command with
--dry-run option to simulate the process instead of sending a request to Let’s encrypt. Here is an example.
$ sudo certbot renew --dry-run
You can also dry run a command to issue the SSL certificate for the first time. If you do not face any error while simulating the issue process, you will surely not face any issue while actually renewing or issuing the SSL certificate.
Conclusion: So, This is how simple it is to keep your sites protected with SSL certificate all the time. Let’s Encrypt is doing a good job of providing SSL certificates to everyone for Free. And the tools like Certbot makes it easier to issue SSL certificates from Let’s Encrypt authority. It just takes a few commands to issue a brand new SSL certificate for a single domain name or a group of domain names based on the requirements of your application.
Let us know if you need help installing Let’s Encrypt Certbot to secure Apache on your server. You can write down the problem or a question in the comment section given below, or contact us via the support section.