This post shows students and new users how to configure Let’s Encrypt free SSL certificates on Ubuntu Linux with Apache HTTP web server. Let’s Encrypt is a free, automated, open certificate authority created by the nonprofit Internet Security Research Group (ISRG).
Instead of buying an SSL certificate for your website and other applications, you can use Let’s encrypt free SSL certificates to protect your web portals and applications. Let’s Encrypt SSL certificates are valid for 90 days. However, you can create an automated process to automatically renew before it expires.
If you are going to operate a website or need to protect your application with HTTPS, Let’s Encrypt certificates are great. You can save a few pennies by using it.
For this post, we will use the free Let’s Encrypt SSL certificate to protect an Apache-powered website. Your Apache website will be able to communicate over HTTPS.
To get started using Let’s Encrypt on Ubuntu Linux to protect Apache, follow the steps below.
How to install Installing Certbot on Ubuntu Linux
Certbot is a command line tool that automates Let’s Encrypt SSL certificate acquisition and renewal tasks. There are other tools to perform the same tasks, but Certbot is efficient and easy to use.
To install Certbot on Ubuntu, run the following commands.
sudo apt update sudo apt install certbot
How to generate Let’s Encrypt certificates for Ubuntu Linux
Now that Certbot is installed, you can start generating Let’s Encrypt SSL certificates on Ubuntu Linux.
To automate the generation and renewal of certificates, we will use the Webroot plugin. This plugin uses /.well-known/acme-challenge directory at the root of the web server to validate that the requested domain resolves to the server running Certbot.
Let’s create a challenge / response directory for Let’s Encrypt to validate the server for which the certificates were generated. To do that, run the following commands:
sudo mkdir -p /var/lib/letsencrypt/.well-known sudo chgrp www-data /var/lib/letsencrypt sudo chmod g+s /var/lib/letsencrypt
Next, create Let’s Encrypt configurations to use the above directory for challenge / response validations.
To do that, run the following commands to create a configuration file called well known.conf at / etc / apache2 / conf-available directory. This directory contains all the settings that you want to use with the Apache web server. All configuration files are automatically included in Apache’s main configuration file.
sudo nano /etc/apache2/conf-available/well-known.conf
Then copy and paste the content below into the file and save it.
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/" <Directory "/var/lib/letsencrypt/"> AllowOverride None Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory>
How to generate a Dh group (Diffie-Hellman)
Diffie-Hellman (DH) key exchange is a method of securely exchanging cryptographic keys. In most SSL configurations, you will want to generate a strong Diffie-Hellman key group.
Run the following commands to generate a key in the / etc / ssl / cert directory on Ubuntu Linux.
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Next, create an SSL configuration file in the / etc / apache2 / conf-available directory to use with Apache. Instead of copying the configuration and duplicating it for each VirtualHost, you can simply create a file in the conf-available directory and reference in VirtualHost settings.
Run the following commands to create the SSL configuration file called ssl-settings.conf.
sudo nano /etc/apache2/conf-available/ssl-settings.conf
Then copy and paste the content below into the file and save it.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off SSLSessionTickets off SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" Header always set Strict-Transport-Security "max-age=63072000"
The above snippet was generated from Mozilla’s recommendations. setting.
After saving the above file, run the following commands to enable the SSL and HTTP version 2 module for Apache.
sudo a2enmod ssl sudo a2enmod headers sudo a2enmod http2
Also enable the configuration files that we include in the conf-available directory.
sudo a2enconf well-known.conf sudo a2enconf ssl-settings.conf
Once complete, restart Apache by running the following commands.
sudo systemctl reload apache2
You are now ready to generate Let’s Encrypt SSL certificates. Run the following commands, replacing the example.com with your own domain to generate Let’s Encrypt SSL certificates.
sudo certbot certonly --agree-tos --email firstname.lastname@example.org --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
A successful certificate generation message will look similar to the following:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2021-09-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Now you can use the certificate and key in your Apache VirtualHost configurations.
How to automatically renew Let’s Encrypt certificates
Now that the certificate has been generated, you can configure a process to automatically renew the certificates. By default, it expires in 90 days. Setting up a process so you don’t have to remember to renew is the best option.
To do that, run the following commands to edit crontab in Ubuntu.
sudo crontab -e
Then add the line below and save …
0 1 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/renew.log
Save and exit.
Now you can use the certificate and key files mentioned above in your Apache configurations to enable HTTPS.
In this tutorial we have seen how to use the free Let’s Encrypt SSL certificate to protect the Apache HTTP server. If you find any errors above or have something to add, use the comment form below to do so.