Here’s an assignment for students.
How to secure Apache2 web server with TLS/SSL certificates? This can be accomplished in many ways and there are many certificate categories to choose from.
However, all TLS/SSL certificates have the same goal – to protect sensitive information communicated across the network.
This brief tutorial is going to show you the easiest way to accomplish this without costing you anything.
Using certificates from Let’s Encrypt, we’ll be able to protect Apache2 web server with trusted certificates for free.
Step 1: Install Server dependencies
Before you can get Let’s Encrypt to work, you must install Ubuntu server dependencies.
To do that, run the commands below to update your server.
sudo apt-get update
Download and install git so that we can download Let’s Encrypt packages
sudo apt-get install git
Step 2: download Let’s Encrypt Client
The next step is to download Let’s Encrypt client from its repository. What we’d like to do is download the client in the /opt directory. This is the appropriate place to put it.
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Change into Let’s Encrypt’s directory and begin to set it up.
Step 3: Setup a new SSL Certificate for your sites
Step 3 is where you setup a new SSL certificate for your sites. To create a new certificate, the example command is shown below. This will secures example.com only.
./letsencrypt-auto --apache -d example.com
However, since most websites online today have both example.com and www.example.com setup, the correct process would be to create a certificate that covers both domains.
To do that, run the commands below.
./letsencrypt-auto --apache -d example.com -d www.example.com
If you run into trouble where Let’s Encrypt is unable to verify your www.example.com domain, navigate to your Apache2 config file and add an alias for www.example.com
sudo nano /etc/apache2/sites-enabled/000-default.conf
Add the highlighted line below. Also, make sure CNAME is defined at your host DNS entries.
Save your changes and try again. Hopefully, this time it was successful.
When prompted to select the type of installation, choose the secure installation. Selecting this will make sure www and non-www of your site are redirected to one domain.
If everything was successful, your site will then a valid SSL certificate. This certificate will need to be renewed every 3 months. Don’t worry, the process is as simple as installing it.
To trigger the renewal process, change into Let’s Encrypt directory and run the commands below.
Ofcouse you’ll want a better way to renew your certificate so you don’t have to do it manually every 3 months. To set up a process to it’s automatically renewed, create a cron job.
sudo crontab -e
Select an editor. To change later, run ‘select-editor’.
2. /bin/nano <—- easiest
Choose 1-3 :
Choose option 2 and add the line below
00 0 * * 0 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
Save your changes and you’re set.
Every Sunday at midnight, the job will try to renew your certificate.
That’s it! Enjoy!