This post shows students and new users how to configure Let’s Encrypt free SSL certificates on Ubuntu Linux with Apache HTTP web server. Let’s Encrypt is a free, automated, open certificate authority created by the nonprofit Internet Security Research Group (ISRG).

Instead of buying an SSL certificate for your website and other applications, you can use Let’s encrypt free SSL certificates to protect your web portals and applications. Let’s Encrypt SSL certificates are valid for 90 days. However, you can create an automated process to automatically renew before it expires.

If you are going to operate a website or need to protect your application with HTTPS, Let’s Encrypt certificates are great. You can save a few pennies by using it.

For this post, we will use the free Let’s Encrypt SSL certificate to protect an Apache-powered website. Your Apache website will be able to communicate over HTTPS.

To get started using Let’s Encrypt on Ubuntu Linux to protect Apache, follow the steps below.

How to install Installing Certbot on Ubuntu Linux

Certbot is a command line tool that automates Let’s Encrypt SSL certificate acquisition and renewal tasks. There are other tools to perform the same tasks, but Certbot is efficient and easy to use.

To install Certbot on Ubuntu, run the following commands.

sudo apt update
sudo apt install certbot

How to generate Let’s Encrypt certificates for Ubuntu Linux

Now that Certbot is installed, you can start generating Let’s Encrypt SSL certificates on Ubuntu Linux.

To automate the generation and renewal of certificates, we will use the Webroot plugin. This plugin uses /.well-known/acme-challenge directory at the root of the web server to validate that the requested domain resolves to the server running Certbot.

Let’s create a challenge / response directory for Let’s Encrypt to validate the server for which the certificates were generated. To do that, run the following commands:

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

Next, create Let’s Encrypt configurations to use the above directory for challenge / response validations.

To do that, run the following commands to create a configuration file called well known.conf at / etc / apache2 / conf-available directory. This directory contains all the settings that you want to use with the Apache web server. All configuration files are automatically included in Apache’s main configuration file.

sudo nano /etc/apache2/conf-available/well-known.conf

Then copy and paste the content below into the file and save it.

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS

How to generate a Dh group (Diffie-Hellman)

Diffie-Hellman (DH) key exchange is a method of securely exchanging cryptographic keys. In most SSL configurations, you will want to generate a strong Diffie-Hellman key group.

Run the following commands to generate a key in the / etc / ssl / cert directory on Ubuntu Linux.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Next, create an SSL configuration file in the / etc / apache2 / conf-available directory to use with Apache. Instead of copying the configuration and duplicating it for each VirtualHost, you can simply create a file in the conf-available directory and reference in VirtualHost settings.

Run the following commands to create the SSL configuration file called ssl-settings.conf.

sudo nano /etc/apache2/conf-available/ssl-settings.conf

Then copy and paste the content below into the file and save it.

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" 

Header always set Strict-Transport-Security "max-age=63072000"

The above snippet was generated from Mozilla’s recommendations. setting.

After saving the above file, run the following commands to enable the SSL and HTTP version 2 module for Apache.

sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod http2

Also enable the configuration files that we include in the conf-available directory.

sudo a2enconf well-known.conf
sudo a2enconf ssl-settings.conf

Once complete, restart Apache by running the following commands.

sudo systemctl reload apache2

You are now ready to generate Let’s Encrypt SSL certificates. Run the following commands, replacing the with your own domain to generate Let’s Encrypt SSL certificates.

sudo certbot certonly --agree-tos --email --webroot -w /var/lib/letsencrypt/ -d -d

A successful certificate generation message will look similar to the following:

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2021-09-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Now you can use the certificate and key in your Apache VirtualHost configurations.

How to automatically renew Let’s Encrypt certificates

Now that the certificate has been generated, you can configure a process to automatically renew the certificates. By default, it expires in 90 days. Setting up a process so you don’t have to remember to renew is the best option.

To do that, run the following commands to edit crontab in Ubuntu.

sudo crontab -e

Then add the line below and save …

0 1 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/renew.log

Save and exit.

Now you can use the certificate and key files mentioned above in your Apache configurations to enable HTTPS.


In this tutorial we have seen how to use the free Let’s Encrypt SSL certificate to protect the Apache HTTP server. If you find any errors above or have something to add, use the comment form below to do so.

Write A Comment